[erlang-bugs] SSH library does not conform to the RFC standard
Tony Rogvall
tony@REDACTED
Fri Jul 3 22:02:40 CEST 2015
Sent from my iPad
> On 3 jul 2015, at 20:07, Adam Krupicka <krupicka.adam@REDACTED> wrote:
>
> Hi,
>
> I recently tried to play with distributed CT (Common Tests); these require the ability to open a SSH connection to the target host to start the remote nodes. It was there that I found that Erlang is unable to open a SSH connection to an up-to-date, defautly-configured OpenSSH server. The SSH Erlang library only supports a single Kex (key-exchange algorithm): diffie-hellman-group1-sha1. The RFC[1], however, specifically requests that every SSH implementation must also support the diffie-hellman-group14-sha1 algorithm. The current version of OpenSSH (OpenSSH_6.8p1, OpenSSL 1.0.2c 12 Jun 2015) in its default configuration only accepts:
> curve25519-sha256@REDACTED, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1.
Strange, because the RFC also states that diffie-hellman-group1-sha1 MUST also be supported, in the paragraph above the one you are referring to (8.1)
I guess the SSH servers are not running in an interoperability mode?
I guess that adding kext algorithm and making the code more flexible should be an easy task.
> I've been told in #erlang on irc.freenode.net that the SSH library was probably only meant to access Erlang systems running SSH shells, however, the CT implementation depends on being able to connect to a real OpenSSH server; that is, on a correct implementation of the SSH standard.
> I thought fixing this would be just a matter of implementing the correct Kex algorithm, but upon looking at the source I saw that the current implementation of the Kex algorithms seems to be a bit of a hack[2].
>
A long time ago ...
> Can you please confirm that this is indeed a bug? I did also come across other people having what I consider to be the same issue[3].
>
It is probably not a bug, it just does not comply to the RFC 4253.
/Tony
>
> Thanks,
> A. K.
>
>
>
> [1] https://tools.ietf.org/html/rfc4253#section-8.2
> [2] https://github.com/erlang/otp/blob/74a95b3d511177a9b35c2b0272b9ca5511b6f750/lib/ssh/src/ssh_transport.erl#L367
> [3] https://stackoverflow.com/questions/31193906/cannot-connect-to-openssh-using-otp-ssh-module
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20150703/744ef9b4/attachment.htm>
More information about the erlang-bugs
mailing list