Subject: Re: bin/35965 (SSHD doesn't work under protocol 1)
To: None <jnemeth@NetBSD.org, gnats-admin@netbsd.org,>
From: Kazushi (Jam) Marukawa <jam@pobox.com>
List: netbsd-bugs
Date: 03/10/2007 16:30:02
The following reply was made to PR bin/35965; it has been noted by GNATS.
From: Kazushi (Jam) Marukawa <jam@pobox.com>
To: Ben Harris <bjh21@NetBSD.org>, gnats-bugs@NetBSD.org
Cc: netbsd-bugs@NetBSD.org, jnemeth@NetBSD.org
Subject: Re: bin/35965 (SSHD doesn't work under protocol 1)
Date: Sun, 11 Mar 2007 01:15:23 +0900
On Mar 10, 20:14, Kazushi (Jam) Marukawa wrote:
> Subject: Re: bin/35965 (SSHD doesn't work under protocol 1)
> On Mar 10, 10:40, Ben Harris wrote:
> > Subject: bin/35965 (SSHD doesn't work under protocol 1)
> > Given the messages about "set keylen", I suspect (but haven't checked)
> > that this is a manifestation of a bug in OpenSSL 0.9.8e, which breaks
> > certain ciphers in OpenSSH <= 4.5p1. See
> > <http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/
> > ssh2-aesctr-openssh.html> and
> > <http://bugzilla.mindrot.org/show_bug.cgi?id=1291>.
>
> Not sure about this. Maybe this is the reason of my
> problem.
>
> How can I retrieve the version number of ssh from NetBSD's
> /usr/src stuff? Thanks.
Ok. This is the reason of my problem. Many thanks.
EVP_CIPHER_CTX_key_length function was coded wrongly as
described in the web page Ben showed.
http://bugzilla.mindrot.org/show_bug.cgi?id=1291
I hand modified function as described in comment #4 in that
page. New sshd with modified openssl worked fine.
Protocol 1 is not secure enough like John described.
However, it is still used by users. It is not possible to
deny them. I need protocol 1.
How to fix (by hand):
For OpenSSL 0.9.8e only. This will be fixed in the next release.
Open /usr/src/crypto/dist/openssl/crypto/evp/evp_lib.c
Find a function named EVP_CIPHER_CTX_key_length
Modified it as follow.
int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx)
{
return ctx->key_len;
}
Compile userland and install it.
Regards,
-- Kazushi