Bug 1332082
Summary: | server host key signature fails after update to 7.2p2 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | mathieu.lacage |
Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | jjelen, mattias.ellert, mgrepl, plautrba, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openssh-6.9p1-12.fc22 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-20 23:52:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
mathieu.lacage
2016-05-02 07:18:01 UTC
Seems to be related similar problem like the bug #1323622 and related to the bump of min DH key size in openssh-7.2p1. Hash for diffie-hellman-group-exchange-sha256 is also computed from: uint32 min, minimal size in bits of an acceptable group uint32 n, preferred size in bits of the group the server will send uint32 max, maximal size in bits of an acceptable group and they are different between server and client in these versions. It seems to be a problem even with upstream version. I will keep you informed. Other key exchange menthods seems to work fine. This is a bug only in Fedora 22 openssh server, which handles DH group exchange in wrong way. This patch for the server fixes the issue for me: diff --git a/kexgexs.c b/kexgexs.c index a81fd1e..f69068c 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -81,7 +81,7 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt) (r = sshpkt_get_end(ssh)) != 0) goto out; kex->nbits = nbits; - kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; + kex->min = min; kex->max = max; min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min); max = MIN(DH_GRP_MAX, max); I will issue updates soon. Can you verify it with this f22 (candidate) build [1]? [1] http://koji.fedoraproject.org/koji/taskinfo?taskID=13887985 openssh-6.9p1-12.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e99389f35d I can confirm that this rpm fixes the connection problem for me. openssh-6.9p1-12.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e99389f35d openssh-6.9p1-12.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |