[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
** Changed in: openssh (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
This bug was fixed in the package openssh - 1:6.9p1-1 --- openssh (1:6.9p1-1) unstable; urgency=medium * New upstream release (http://www.openssh.com/txt/release-6.8): - sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. - Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. - ssh(1), sshd(8): Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default off). - ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication. - ssh(1), sshd(8): Fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths. - ssh(1): When host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. Fixes bz#2074 and avoids needless DNS lookups in some cases. - ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication. - sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption. - sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys. - sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted (closes: #481133). Currently defaults to all. - sshd(8): Don't count partial authentication success as a failure against MaxAuthTries. - ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys. - ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA. - ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. - ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T". - ssh(1): Allow Match criteria to be negated. E.g. "Match !host". - ssh-keyscan(1): ssh-keyscan has been made much more robust against servers that hang or violate the SSH protocol (closes: #241119). - ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields (closes: #787776). - ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored; closes: #774369). - ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) - ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use. - ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats. - ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. * New upstream release (http://www.openssh.com/txt/release-6.9): - CVE-2015-5352: ssh(1): When forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials (closes: #790798). This problem was reported by Jann Horn. - SECURITY: ssh-agent(1): Fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
This was fixed upstream according to the changelog. http://www.openssh.com/txt/release-6.9: * ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes >4K; bz#2209 HTH, Simon ** Bug watch added: OpenSSH Portable Bugzilla #2209 https://bugzilla.mindrot.org/show_bug.cgi?id=2209 ** Also affects: openssh via https://bugzilla.mindrot.org/show_bug.cgi?id=2209 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
Looks like there's a patch for openssh available the RH bug which detects broken server implementations and sends options that they can accept (by matching "Cisco-*" in the banner). We probably don't want to have to maintain this patch in Ubuntu indefinitely though. But we could cherry-pick it if upstream commit the patch. Is there a bug filed with openssh upstream? ** Tags added: needs-upstream-report -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
The workaround is fine, but if you want more detailed description about the underlying issues (there are more than one) see the Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1026430 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
** Changed in: openssh (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
Last Modified: Jul 31,2014 Status: Fixed Severity: 3 Moderate Product: Cisco IOS Support Cases: 2 Known Affected Releases: (1) n/a Known Fixed Releases: (6) 15.5(0.6)T 15.4(1)T1.3 15.3(3)S3.4 15.5(0.12)S 15.1(2)SY3.8 15.4(1)T2 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
Bug was fixed https://tools.cisco.com/bugsearch/bug/CSCuo76464 (sorry, you need Cisco account). So, I think that this is not a bug, but a configuration incompatibility. Simple explanation: openSSH require more security and external ssh server is not using this level of security. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
** Bug watch added: Debian Bug tracker #740307 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740307 ** Also affects: openssh (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740307 Importance: Unknown Status: Unknown ** Also affects: openssh (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=1026430 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
I've filed the bug CSCuo76464 to get this fixed on the cisco side. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
I also hit this connecting to Cisco, log from cisco: SSH2 0: Invalid modulus length For me ssh -o KexAlgorithms=diffie-hellman-group14-sha1 x.x.x.x works fine. It affects not all Cisco, mainly old ones are not affected. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc HostKeyAlgorithms ssh-rsa,ssh-dss KexAlgorithms diffie-hellman-group1-sha1 MACs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160 In /etc/ssh/ssh_config resolve the issue. I would say this is not a bug. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
** Tags added: trusty ** Tags removed: trusty ** Tags added: regression-release ** Tags added: trusty -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
That work around did not work for all the devices in my network sadly. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
I'm finding this with my cisco routers/switches. Everything else seems to work. Also this bug seems related https://bugzilla.redhat.com/show_bug.cgi?id=1026430 ** Bug watch added: Red Hat Bugzilla #1026430 https://bugzilla.redhat.com/show_bug.cgi?id=1026430 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
Also the work around suggested in that thread: ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o KexAlgorithms=diffie- hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc -o MACs=hmac-md5 ,hmac-sha1 allows me to connect. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openssh (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1287222 Title: openssh-client 6.5 regression bug with certain servers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs