[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-08-14 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

jerome.h...@planete-sciences.org changed:

   What|Removed |Added

 CC||jerome.hamm@planete-science
   ||s.org

--- Comment #20 from jerome.h...@planete-sciences.org ---
Hi,

Thank you for your work!
But I am afraid I cannot reproduce it.
In the ssh_keylog_patch_samples.tar.gz file, the ssh_7.keys is not formatted as
explained (line starting by curve25519).
I tried building it and inserted all keys from the ssh_7_dbg file, but none was
accpeted.

Could you please provide a working example?

Than you,
J.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-08-10 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #19 from Gerrit Code Review  ---
Change 38109 had a related patch set uploaded by Rasmus Jonsson:
ssh: add decryption for aes128-...@openssh.com

https://code.wireshark.org/review/38109

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-08-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #18 from Gerrit Code Review  ---
Change 37936 merged by Anders Broman:
ssh decryption: load logged keys and compute symmetric keys

https://code.wireshark.org/review/37936

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-07-31 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #17 from Gerrit Code Review  ---
Change 38002 had a related patch set uploaded by Rasmus Jonsson:
ssh: add dissection for Transport Layer Protocol

https://code.wireshark.org/review/38002

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-07-23 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #16 from Rasmus Jonsson  ---
Created attachment 17905
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17905=edit
SSH decryption keylog patch capture & extracted keys

These files can be used to test this patch:
https://code.wireshark.org/review/#/c/37936

The capture requires the file ssh_7.keys which contains 1 line in the format
"curve25519 <64-byte hex number>".

ssh_7_dbg contains the output of a GDB session where relevant values (private &
public ephemeral keys, computed exchange hash and derived encryptionkeys) are
printed out from a running OpenSSH session.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-04-30 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #15 from Eugene Adell  ---
(In reply to Rasmus Jonsson from comment #13)
> I (or rather, the students who were working on SSH decryption) had to change
> the OpenSSH source code to allow the enabling of the NONE cipher. 3 lines
> need to be commented.

Just an idea, you could also try working on the NONE mac. It's not implemented
in OpenSSH, but I believe it's still authorized and anyway for educational
purpose it can be a good lab. From RFC 4251 :

9.3.2.  Data Integrity

   This protocol does allow the Data Integrity mechanism to be disabled.
   Implementers SHOULD be wary of exposing this feature for any purpose
   other than debugging.  Users and administrators SHOULD be explicitly
   warned anytime the "none" MAC is enabled.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-04-29 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #14 from Eugene Adell  ---
(In reply to Rasmus Jonsson from comment #13)
> (In reply to Eugene Adell from comment #11)
> > Could you please also attach your capture here ?
> 
> I've uploaded one.

It's interesting, thanks. I suppose it's based on the "portable" source but
unfortunately it's not going to compile easily as some files are missing
(configure for example).

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-04-28 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #12 from Rasmus Jonsson  ---
Created attachment 17737
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17737=edit
SSH session capture (NONE cipher)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-04-28 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #13 from Rasmus Jonsson  ---
(In reply to Eugene Adell from comment #11)
> May I ask how you enable the NONE cipher ? Even by compiling OpenSSH 4.0
> which is 15 years old, it doesn't want to hear about this.

I (or rather, the students who were working on SSH decryption) had to change
the OpenSSH source code to allow the enabling of the NONE cipher. 3 lines need
to be commented.

Instructions:
https://github.com/cs5152-wireshark/documentation/wiki/OpenSSH:-NONE-Cipher

> Could you please also attach your capture here ?

I've uploaded one.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-04-25 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

Eugene Adell  changed:

   What|Removed |Added

 CC||eugene.ad...@gmail.com

--- Comment #11 from Eugene Adell  ---
(In reply to Rasmus Jonsson from comment #6)
> 
> The dissection of SSH using the NONE cipher worked fine (apart from 1
> warning which I added on gerrit). I uploaded a capture sample to the wiki
> though I'm not able to edit the samples page.

May I ask how you enable the NONE cipher ? Even by compiling OpenSSH 4.0 which
is 15 years old, it doesn't want to hear about this.

sbin/sshd -o Ciphers=none -o ListenAddress=localhost:8779 -o LogLevel=DEBUG2 -D
command-line line 0: Bad SSH2 cipher spec 'none'.

Could you please also attach your capture here ?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-03-19 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #10 from cen  ---
I totally forgot about the loopback adapter, thanks for the hint. Might be a
good idea to mention this use case on the SSH documentation page for drive by
readers like me.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-03-18 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #9 from Peter Wu  ---
This request has come up several times over the past, but there was just no bug
tracking it. I am sure it'll be progress further now given the amount of
interest for this project in GSoC2020.

Your feedback on potential use cases is very helpful, keep them coming! I have
not communicated with other SSH projects, that might happen in due time.

For the tunneling case, have you tried tapping on the loopback interface?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-03-18 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

cen  changed:

   What|Removed |Added

 CC||cen.is.i...@gmail.com

--- Comment #8 from cen  ---
This would be very useful when you need to debug an application which normally
uses cleartext but you tunnel it through socks5 or reverse SSH. I am actually
surprised this got opened up just now in 2019/2020.

Has there been any outreach to the putty/plink project? Might be worth firing
up an email on their mailing list.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-02-25 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #7 from Peter Wu  ---
The class has ended, but the patches have not been merged since there were some
open issues that have never been addressed. It is currently a proposed project
for GSoC 2020: https://wiki.wireshark.org/GSoC2020#SSH_decryption_support

Comment 4 describes a proposed future direction of implementation of this
functionality.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-02-24 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

Rasmus Jonsson  changed:

   What|Removed |Added

 CC||was...@zom.bi

--- Comment #6 from Rasmus Jonsson  ---
(In reply to Peter Wu from comment #4)
> They are in process of finalizing their work, so expect documentation soon
> :-)

Since the CS5152 class has ended(?), is this project currently abandoned? Would
be interesting to know if they got any further with this. I've downloaded their
patches [2][3] and tried them out.

The dissection of SSH using the NONE cipher worked fine (apart from 1
warning which I added on gerrit). I uploaded a capture sample to the wiki
though I'm not able to edit the samples page.

The decryption patch compiles but is giving me segfaults. I'm debugging that
now. EDIT: It's because I'm not loading the dumped keys first.

If it's alright with you I'll work on these and submit patches on gerrit.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2020-01-06 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

Dario Lombardo  changed:

   What|Removed |Added

 CC||lom...@gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2019-12-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #5 from Gerrit Code Review  ---
Change 35376 had a related patch set uploaded by Tyman Sin:
SSH: Add dissection for unencrypted packets

https://code.wireshark.org/review/35376

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2019-12-09 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #4 from Peter Wu  ---
The intention was to develop a mechanism similar to the SSLKEYLOGFILE mechanism
for TLS implementations. Right now there is no implementation that writes the
ephemeral Diffie-Hellman secret (or the derived shared secret).

The group worked on extracting the derived symmetrics secrets from OpenSSH. A
packet capture, key dump and instructions can be found at
https://github.com/cs5152-wireshark/documentation
They are in process of finalizing their work, so expect documentation soon :-)

As I mentioned in the review comments, use of symmetric keys (and especially
with the current limitation that only one session is supported) should be
considered a temporary solution.


Long-term, I was considering logging the base secrets from which the symmetrics
keys were derived. For example, at minimum you need the data to compute the
values referenced in Section 7.2. Output from Key Exchange
:
- K: shared DH secret
- H: hashed result from https://tools.ietf.org/html/rfc4253#page-23 (optional)
- session_id: same as the H from the first key exchange in this session
(optional)

The last two are optional since they can be computed from the first based on
the public information from the packet capture.

After the basic work has been done, support for rekeying (key re-exchange)
could be added: https://tools.ietf.org/html/rfc4253#section-9

In either case, some identifier is required to link the packets to the (base)
secrets. For simplicity, this could potentially be limited to "e" (the exchange
value sent by the client). More comprehensive would be a hash over V_C .. f
(the values of https://tools.ietf.org/html/rfc4253#page-23).


(In reply to Guy Harris from comment #3)
> > Or is there some *other* mechanism to get the shared secret from ssh or 
> > sshd?
> 
> Or is that the way to do it *if* OpenSSH is built with libssl?

No, libssl is not used by OpenSSH. OpenSSH uses OpenSSL only for libcrypto.
There are several ways to extract secrets, you just have to find the right
place to add a probe. It could be done with a LD_PRELOAD/debugger trick, or by
patching the source code. These are most likely implementation-specific
however. With the right skills and time it is a doable task.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2019-12-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #3 from Guy Harris  ---
(In reply to Guy Harris from comment #2)
> (In reply to Peter Wu from comment #0)
> > Build Information:
> > Paste the COMPLETE build information from "Help->About Wireshark",
> > "wireshark -v", or "tshark -v".
> > --
> > It would be nice to see the contents of encrypted SSH packets such as
> > commands and their outputs.
> > 
> > See also:
> > https://wiki.wireshark.org/SSH
> > https://wiki.wireshark.org/OpenSourceSoftwareEngineeringFall2019
> > 
> > It would probably be best to use the Diffie-Hellman (DH) shared secret, and
> > derive the symmetric keys in Wireshark. That way, the key material provided
> > from the SSH application to Wireshark can remain quite small. Another
> > advantage is that the key log format can remain the same, independent of the
> > selected cipher.
> 
> The SSH wiki page says
> 
> > Unlike the TLS dissector, no code has been written to decrypt encrypted SSH
> > packets/payload (yet). This is also not possible unless the shared secret
> > (from the Diffie-Hellman key exchange) is extracted from the SSH server or
> > client (the "SSLKEYLOGFILE" method in TLS).
> 
> So are you saying that you can set the SSLKEYLOGFILE environment variable to
> point to a file and ssh/sshd will write the shared secret, or values from
> which the shared secret can be derived, to that file?
> 
> Or is there some *other* mechanism to get the shared secret from ssh or sshd?

Or is that the way to do it *if* OpenSSH is built with libssl?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2019-12-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #2 from Guy Harris  ---
(In reply to Peter Wu from comment #0)
> Build Information:
> Paste the COMPLETE build information from "Help->About Wireshark",
> "wireshark -v", or "tshark -v".
> --
> It would be nice to see the contents of encrypted SSH packets such as
> commands and their outputs.
> 
> See also:
> https://wiki.wireshark.org/SSH
> https://wiki.wireshark.org/OpenSourceSoftwareEngineeringFall2019
> 
> It would probably be best to use the Diffie-Hellman (DH) shared secret, and
> derive the symmetric keys in Wireshark. That way, the key material provided
> from the SSH application to Wireshark can remain quite small. Another
> advantage is that the key log format can remain the same, independent of the
> selected cipher.

The SSH wiki page says

> Unlike the TLS dissector, no code has been written to decrypt encrypted SSH 
> packets/payload (yet). This is also not possible unless the shared secret 
> (from the Diffie-Hellman key exchange) is extracted from the SSH server or 
> client (the "SSLKEYLOGFILE" method in TLS).

So are you saying that you can set the SSLKEYLOGFILE environment variable to
point to a file and ssh/sshd will write the shared secret, or values from which
the shared secret can be derived, to that file?

Or is there some *other* mechanism to get the shared secret from ssh or sshd?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 16054] Add SSH decryption support

2019-12-08 Thread bugzilla-daemon 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054

--- Comment #1 from Gerrit Code Review  ---
Change 35366 had a related patch set uploaded by Evan Welsh:
[WIP] Add SSH Decryption to Wireshark.

https://code.wireshark.org/review/35366

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe