This bug was fixed in the package openssh - 1:7.4p1-6
---------------
openssh (1:7.4p1-6) unstable; urgency=medium
* Remove temporary file on exit from postinst (closes: #850275).
* Remove LOGIN_PROGRAM and LOGIN_NO_ENDOPT definitions, since UseLogin is
gone.
* Document sshd_config changes that may be needed following the removal of
protocol 1 support from sshd (closes: #851573).
* Remove ssh_host_dsa_key from HostKey default (closes: #850614).
* Fix rekeying failure with GSSAPI key exchange (thanks, Harald Barth;
closes: #819361, LP: #1608965).
-- Colin Watson <[email protected]> Mon, 16 Jan 2017 15:11:10 +0000
** Changed in: openssh (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1608965
Title:
ssh GSSAPI rekey failure
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Xenial:
Triaged
Status in openssh source package in Yakkety:
Triaged
Bug description:
If I have ssh set up using GSSAPI with rekeying enabled, then the
connection fails on rekey, and tries to do host-based verification
'mid-session'.
Steps to reproduce:
$ ssh -vvv server.example.com
<snip...>
debug1: Authenticating to ssh.example.com:22 as 'user'
<snip...>
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
<snip...>
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
<snip...>
Last login: Tue Aug 02 10:47:20 2016 from foo
# Then do 'kinit' on the client to get a new ticket...
debug1: need rekeying
debug1: SSH2_MSG_KEXINIT sent
debug1: rekeying in progress
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms:
[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,null
[...]
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[...]
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC:
<implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: rekeying in progress
debug1: rekeying in progress
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:w7yxbCZNBX4d5EAgmCrFYa3XUpDjvWiDOw4/YOY9q8E
The authenticity of host 'server.example.com (10.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:w7yxbCZNBX4d5EAgmCrFYa3XUpDjvWiDOw4/YOY9q8E.
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.
It looks like the list of KEX algorithms differs between the initial
connection, and the rekeying.
This behaviour seems to occur with a client running 16.04 (openssh-
client 1:7.2p2-4ubuntu1) but not on 15.10 (openssh-client
1:6.9p1-2ubuntu0.2).
ssh_config is as follows:
HashKnownHosts no
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDNS yes
GSSAPIKeyExchange yes
ForwardX11 yes
ForwardX11Trusted yes
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1608965/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : [email protected]
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
