Bug 2494

Summary: kex_protocol_error should send SSH2_MSG_UNIMPLEMENTED
Product: Portable OpenSSH Reporter: Colin Watson <cjwatson>
Component: sshdAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: normal CC: djm, dtucker
Priority: P5    
Version: 6.9p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2451    
Attachments:
Description Flags
send SSH_MSG_UNIMPLEMENTED on kex protocol error
dtucker: ok+
fixed diff dtucker: ok+

Description Colin Watson 2015-11-11 22:16:23 AEDT 
At least in the compat20 case, kex_protocol_error should send SSH2_MSG_UNIMPLEMENTED as dispatch_protocol_error does rather than simply logging and ignoring the message.  This would make it possible for a client to actually find out that a message it has sent was unrecognised rather than simply hanging, and perhaps even have a fallback.  This would appear to be a MUST in RFC 4253 section 11.4, if I'm reading it correctly.

(Discovered while debugging a twisted.conch hang that turned out to be due to sending SSH2_MSG_KEX_DH_GEX_REQUEST_OLD, but it would have been easier to spot if I'd got an unimplemented packet back from sshd.)
Comment 1 Damien Miller 2015-11-13 13:15:02 AEDT 
Created attachment 2749 [details]
send SSH_MSG_UNIMPLEMENTED on kex protocol error

I think this should do it; can you test against the conch version that was sending the old key exchange?

Also, please send the banner string for the affected conch version so we can add a compat flag for it.
Comment 2 Damien Miller 2015-11-13 13:31:45 AEDT 
Created attachment 2750 [details]
fixed diff

oops, previous diff forgot to declare a variable
Comment 3 Damien Miller 2015-11-13 15:40:05 AEDT 
Patch applied - this will be in OpenSSH 7.2. (Please do let us know the affected conch version though)
Comment 4 Colin Watson 2015-11-15 03:12:17 AEDT 
Thanks, that does indeed produce a sensible unimplemented message against that conch version, not that conch does anything with it other than logging it.  Still better than nothing.

I'm afraid that conch doesn't currently send a useful banner string for the purposes of compat flags:

debug1: Client protocol version 2.0; client software version Twisted
Comment 5 Damien Miller 2015-12-11 14:50:24 AEDT 
Patch has been applied - will be in OpenSSH 7.2
Comment 6 Damien Miller 2016-08-02 10:41:47 AEST 
Close all resolved bugs after 7.3p1 release