> Any news on handling this bug? Sorry, this is deep in the backlog and I don't expect Ubuntu developers to look into this any time soon on a volunteer basis.
I suggest that you try the latest upstream openssh release, and if it is still an issue there, then raise the bug upstream if it hasn't been reported already. If it is fixed in the latest upstream release, then if you could identify the fix then we can do something about it in Ubuntu. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1608965 Title: ssh GSSAPI rekey failure Status in openssh package in Ubuntu: Triaged Bug description: If I have ssh set up using GSSAPI with rekeying enabled, then the connection fails on rekey, and tries to do host-based verification 'mid-session'. Steps to reproduce: $ ssh -vvv server.example.com <snip...> debug1: Authenticating to ssh.example.com:22 as 'user' <snip...> debug2: local client KEXINIT proposal debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c <snip...> debug2: peer server KEXINIT proposal debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 <snip...> Last login: Tue Aug 02 10:47:20 2016 from foo # Then do 'kinit' on the client to get a new ticket... debug1: need rekeying debug1: SSH2_MSG_KEXINIT sent debug1: rekeying in progress debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,null [...] debug2: peer server KEXINIT proposal debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 [...] debug1: kex: algorithm: [email protected] debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: rekeying in progress debug1: rekeying in progress debug1: Server host key: ecdsa-sha2-nistp256 SHA256:w7yxbCZNBX4d5EAgmCrFYa3XUpDjvWiDOw4/YOY9q8E The authenticity of host 'server.example.com (10.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:w7yxbCZNBX4d5EAgmCrFYa3XUpDjvWiDOw4/YOY9q8E. Are you sure you want to continue connecting (yes/no)? Host key verification failed. It looks like the list of KEX algorithms differs between the initial connection, and the rekeying. This behaviour seems to occur with a client running 16.04 (openssh- client 1:7.2p2-4ubuntu1) but not on 15.10 (openssh-client 1:6.9p1-2ubuntu0.2). ssh_config is as follows: HashKnownHosts no GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIRenewalForcesRekey yes GSSAPITrustDNS yes GSSAPIKeyExchange yes ForwardX11 yes ForwardX11Trusted yes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1608965/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
