Mailing List Archive: [Bug 3170] Sometimes sshd responds with different server signature

[Bug 3170] Sometimes sshd responds with different server signature

bugzilla-daemon at mindrot

May 25, 2020, 4:23 PM

Post #1 of 8 (184 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3170

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org

--- Comment #1 from Damien Miller <djm@mindrot.org> ---
This could be a problem with libcrypto's signature generation or
verification. IMO the first step would be to figure out whether it is
the client or the server that is going wrong.

Could you try a different client (e.g. openssh on Linux, or PuTTY on
Windows)? If the problem persists then it's likely the server is at
fault.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3170] Sometimes sshd responds with different server signature [ In reply to ]

bugzilla-daemon at mindrot

May 25, 2020, 4:48 PM

Post #2 of 8 (184 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3170

--- Comment #2 from Steven C <steven@c88.org> ---
I did repeated sessions with Windows PuTTY release 7.0.

I got about the same frequency of failures with the message: "Server's
host key did not match the signature supplied."

So it sounds like the issue is with the server.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3170] Sometimes sshd responds with different server signature [ In reply to ]

bugzilla-daemon at mindrot

May 26, 2020, 4:17 AM

Post #3 of 8 (181 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3170

--- Comment #3 from Damien Miller <djm@mindrot.org> ---
Did you compile openssh/openssl yourself or did you use DD-WRT's
packages?

If you compiled OpenSSL yourself, then please run its self-tests and
see if they catch anything. Likewise OpenSSH ("make tests" after
building.

If you're using DD-WRT's pre-built packages then I recommend either
filing a bug on their bug tracking system or building your own
openssl/openssh so you can run the above self-tests.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3170] Sometimes sshd responds with different server signature [ In reply to ]

bugzilla-daemon at mindrot

May 26, 2020, 4:52 AM

Post #4 of 8 (181 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3170

--- Comment #4 from Steven C <steven@c88.org> ---
I used the pre-compiled package provided by the Entware system in
DD-WRT (https://github.com/Entware/Entware).

I will enter a bug in their system, but I fear they don't do much
except compile pre-existing applications and make them available
through the "opkg" command.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3170] Sometimes sshd responds with different server signature [ In reply to ]

bugzilla-daemon at mindrot

May 26, 2020, 5:12 AM

Post #5 of 8 (181 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3170

--- Comment #5 from Steven C <steven@c88.org> ---
By the way, regarding "make tests" - does that work in a cross-compile
environment?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3170] Sometimes sshd responds with different server signature [ In reply to ]

bugzilla-daemon at mindrot

May 26, 2020, 6:04 AM

Post #6 of 8 (181 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3170

Darren Tucker <dtucker@dtucker.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker@dtucker.net

--- Comment #6 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Steven C from comment #5)
> By the way, regarding "make tests" - does that work in a
> cross-compile environment?

No, the tests rely on being able to run the built executables from the
Makefiles.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3170] Sometimes sshd responds with different server signature [ In reply to ]

bugzilla-daemon at mindrot

May 26, 2020, 6:25 AM

Post #7 of 8 (181 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3170

--- Comment #7 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Steven C from comment #4)
> I used the pre-compiled package provided by the Entware system in
> DD-WRT (https://github.com/Entware/Entware).
>
> I will enter a bug in their system, but I fear they don't do much
> except compile pre-existing applications and make them available
> through the "opkg" command.

They apply a dozen patches to their openssl, including some to the
crypto engines:
https://github.com/Entware/Entware/tree/master/package/libs/openssl/patches,
some of which invoke /dev/crypto and based on the kernel logs from
https://openwrt.org/toh/netgear/r7800 it looks like your device has
crypto hardware, so all of libcrypto, the kernel and the hardware are
potential causes too.

I'd suggest trying the other host key types and see if the problem
occurs with all of them or only a subset.

I've also seen similar problems caused by bad ram and buggy compilers.
There's an awful lot of variables, and if you can't change sshd you
won't be able to eliminate many of them.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3170] Sometimes sshd responds with different server signature [ In reply to ]

bugzilla-daemon at mindrot

May 26, 2020, 6:29 AM

Post #8 of 8 (181 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3170

--- Comment #8 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Darren Tucker from comment #6)
> No, the tests rely on being able to run the built executables from
> the Makefiles.

actually, in theory if you copied the build directory in its entirety
and had the required tools (at least make, but probably others) then it
might be possible to run it on the device. I have in the past done
native builds and tests on openwrt, but it took some setting up and
it's far from an ideal platform.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs