Description of problem: OpenSSH in Fedora requires DH 8192 for AES 256 but proftpd does not ship a 8192 bit diffie hellman paramter. Therefore it is impossible to use mod_sftp with Fedora with AES 256. Also there is only a not very helpful error message. Version-Release number of selected component (if applicable): 1.3.3g-3.el5 How reproducible: always Steps to Reproduce: 1. setup proftpd with sftp support and use as only cipher aes-256-ctr 2. Try to connect with sftp from Fedora Actual results: - local sftp show application error - mod_sftp logs message format error: unable to write 1025 bytes of mpint (buflen = 1023) Expected results: should work as expected Additional info: /etc/dhparams.pem does not contain 8192 bit parameters, which are required according to a peek at the openssh source code. This might be broken in Fedora as well.
If you use the dhparams.pem file from: http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/dhparams.pem?revision=1.2 does that fix it?
(In reply to Paul Howarth from comment #1) > If you use the dhparams.pem file from: > > http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/ > dhparams.pem?revision=1.2 > > does that fix it? yes
(In reply to Till Maas from comment #2) > (In reply to Paul Howarth from comment #1) > > If you use the dhparams.pem file from: > > > > http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/ > > dhparams.pem?revision=1.2 > > > > does that fix it? > > yes sorry, no, it does not fix it. Removing the file "fixes" it or if selinux prevents proftpd from accessing it, which is what happened during my first test.
So you're seeing "WARNING: using fixed modulus for DH group exchange" if the file is missing/unreadable, and that "works", but actually having the file there results in the same error as the original report?
I think this change may be related: http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/kex.c?r1=1.36&r2=1.37
(In reply to Paul Howarth from comment #4) > So you're seeing "WARNING: using fixed modulus for DH group exchange" if the > file is missing/unreadable, and that "works", but actually having the file > there results in the same error as the original report? I did look into the log if the file is missing/unreadable (I can look into this tomorrow) but other than that: yes with the file I see the same error (at least from sftp since I did not look into the logs).
There are more issues with 8192 DH: http://bugs.proftpd.org/show_bug.cgi?id=4001
It works with the following changes: http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/kex.c?r1=1.36&r2=1.37 (backported to the EPEL proftpd) http://bugs.proftpd.org/attachment.cgi?id=4130 The new dhparams.pem file
Created attachment 838955 [details] backported larger keys patch
Created attachment 838958 [details] backported kex patch
Can you try this scratch build and let me know if it works for you? http://koji.fedoraproject.org/koji/taskinfo?taskID=6314667
(In reply to Paul Howarth from comment #11) > Can you try this scratch build and let me know if it works for you? > > http://koji.fedoraproject.org/koji/taskinfo?taskID=6314667 It works on my test system. Btw. there is also http://bugs.proftpd.org/show_bug.cgi?id=4002 which should be fixed probably. I generated a local dhparams.pem file that I can give you if you do not want to wait for proftp.
proftpd-1.3.4d-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc19
proftpd-1.3.4d-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc18
proftpd-1.3.4d-5.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc20
proftpd-1.3.3g-4.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/proftpd-1.3.3g-4.el5
proftpd-1.3.3g-4.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/proftpd-1.3.3g-4.el6
proftpd-1.3.4d-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.4d-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.4d-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.3g-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.3g-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.