[erlang-bugs] SSH library does not conform to the RFC standard

Adam Krupicka krupicka.adam@REDACTED
Fri Jul 3 20:07:16 CEST 2015


Hi,

I recently tried to play with distributed CT (Common Tests); these require
the ability to open a SSH connection to the target host to start the remote
nodes. It was there that I found that Erlang is unable to open a SSH
connection to an up-to-date, defautly-configured OpenSSH server. The SSH
Erlang library only supports a single Kex (key-exchange algorithm):
diffie-hellman-group1-sha1. The RFC[1], however, specifically requests that
every SSH implementation must also support the diffie-hellman-group14-sha1
algorithm. The current version of OpenSSH (OpenSSH_6.8p1, OpenSSL 1.0.2c 12
Jun 2015) in its default configuration only accepts:
curve25519-sha256@REDACTED, ecdh-sha2-nistp256, ecdh-sha2-nistp384,
ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1.
I've been told in #erlang on irc.freenode.net that the SSH library was
probably only meant to access Erlang systems running SSH shells, however,
the CT implementation depends on being able to connect to a real OpenSSH
server; that is, on a correct implementation of the SSH standard.
I thought fixing this would be just a matter of implementing the correct
Kex algorithm, but upon looking at the source I saw that the current
implementation of the Kex algorithms seems to be a bit of a hack[2].

Can you please confirm that this is indeed a bug? I did also come across
other people having what I consider to be the same issue[3].


Thanks,
A. K.



[1] https://tools.ietf.org/html/rfc4253#section-8.2
[2]
https://github.com/erlang/otp/blob/74a95b3d511177a9b35c2b0272b9ca5511b6f750/lib/ssh/src/ssh_transport.erl#L367
[3]
https://stackoverflow.com/questions/31193906/cannot-connect-to-openssh-using-otp-ssh-module
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20150703/3146280d/attachment.htm>


More information about the erlang-bugs mailing list