[erlang-bugs] SSH library does not conform to the RFC standard
Hans Nilsson R
hans.r.nilsson@REDACTED
Tue Aug 4 14:33:30 CEST 2015
Hi,
you are right in that the group14 is not implemented in ssh-4.0 and so
is neither echd.
However, all this is in the backlog and diffie-hellman-group14-sha1 as
well as diffie-hellman-group-exchange-sha1 and -sha256 is on its way out.
Group14 is implemented but has not run the tests yet, but will hopefully
pass tonight.
Dh-group-exchange is not yet complete - there is no way for a user to
add groups yet. It will appear on github soon. It must so far be
enabled explicitly by the option prefered_algorithms.
A little preview of some days in the future:
Eshell V7.0.1 (abort with ^G)
1> Supported = ssh_transport:supported_algorithms().
[{kex,['diffie-hellman-group14-sha1',
'diffie-hellman-group1-sha1',
'diffie-hellman-group-exchange-sha256',
'diffie-hellman-group-exchange-sha1']},
{public_key,['ssh-rsa','ssh-dss']},
{cipher,[{client2server,['aes128-ctr','aes128-cbc',
'3des-cbc']},
{server2client,['aes128-ctr','aes128-cbc','3des-cbc']}]},
{mac,[{client2server,['hmac-sha2-256','hmac-sha1']},
{server2client,['hmac-sha2-256','hmac-sha1']}]},
{compression,[{client2server,[none,zlib,'zlib@REDACTED']},
{server2client,[none,zlib,'zlib@REDACTED']}]}]
2> ssh:start().
ok
3> ssh:daemon(1234, [{preferred_algorithms,Supported}]).
{ok,<0.48.0>}
4>
See what we got in our daemon...
$ telnet localhost 1234
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-Erlang/4.0.1
SSH-2.0-
�d ��3��5��(%�
ᵒ�~diffie-hellman-group14-sha1,diffie-
hellman-group1-sha1,diffie-hellman-group-exchange-
sha256,diffie-hellman-group-exchange-sha1
aes128-ctr,aes128-
cbc,3des-cbc
aes128-ctr,aes128-cbc,3des-cbc�hmac-sha2-256,hmac-
sha1�hmac-sha2-256,hmac-sha1�none,zlib,zlib@REDACTED�
none,zlib,zlib@REDACTED��꼩�А^C^CConnection closed by foreign host.
$
Ecdh is the next step.
/Hans
On 07/03/2015 08:07 PM, Adam Krupicka wrote:
> Hi,
>
> I recently tried to play with distributed CT (Common Tests); these
> require the ability to open a SSH connection to the target host to start
> the remote nodes. It was there that I found that Erlang is unable to
> open a SSH connection to an up-to-date, defautly-configured OpenSSH
> server. The SSH Erlang library only supports a single Kex (key-exchange
> algorithm): diffie-hellman-group1-sha1. The RFC[1], however,
> specifically requests that every SSH implementation must also support
> the diffie-hellman-group14-sha1 algorithm. The current version of
> OpenSSH (OpenSSH_6.8p1, OpenSSL 1.0.2c 12 Jun 2015) in its default
> configuration only accepts:
> curve25519-sha256@REDACTED <mailto:curve25519-sha256@REDACTED>,
> ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521,
> diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1.
> I've been told in #erlang on irc.freenode.net <http://irc.freenode.net>
> that the SSH library was probably only meant to access Erlang systems
> running SSH shells, however, the CT implementation depends on being able
> to connect to a real OpenSSH server; that is, on a correct
> implementation of the SSH standard.
> I thought fixing this would be just a matter of implementing the correct
> Kex algorithm, but upon looking at the source I saw that the current
> implementation of the Kex algorithms seems to be a bit of a hack[2].
>
> Can you please confirm that this is indeed a bug? I did also come across
> other people having what I consider to be the same issue[3].
>
>
> Thanks,
> A. K.
>
>
>
> [1] https://tools.ietf.org/html/rfc4253#section-8.2
> [2]
> https://github.com/erlang/otp/blob/74a95b3d511177a9b35c2b0272b9ca5511b6f750/lib/ssh/src/ssh_transport.erl#L367
> [3]
> https://stackoverflow.com/questions/31193906/cannot-connect-to-openssh-using-otp-ssh-module
>
>
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs
>
More information about the erlang-bugs
mailing list