Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssh ssh_exchange_identification #19589

Closed
nhooyr opened this issue Oct 16, 2016 · 2 comments
Closed

openssh ssh_exchange_identification #19589

nhooyr opened this issue Oct 16, 2016 · 2 comments
Labels
0.kind: question 1.severity: security 9.needs: reporter feedback

Comments

@nhooyr
Copy link
Contributor

nhooyr commented Oct 16, 2016

Issue description

If you have no hostkeys and try to connect to the openssh server, it will generate the keys but also send quite a bit of information to the client. I am not sure if this is an actual security issue but I wanted to bring it up just to make sure.

Steps to reproduce

  1. Delete hostkeys in /etc/ssh.
  2. Connect with ssh server -vvv
  3. The output will include
debug1: ssh_exchange_identification: Generating public/private rsa key pair.

debug1: ssh_exchange_identification: Your identification has been saved in /etc/ssh/ssh_host_rsa_key.

debug1: ssh_exchange_identification: Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.

debug1: ssh_exchange_identification: The key fingerprint is:

debug1: ssh_exchange_identification: SHA256:Af1joLm9G8HaM4G6DXKUuUmg72kv2lq7PSadDvkSmHs root@aubble.com

debug1: ssh_exchange_identification: The key's randomart image is:

debug1: ssh_exchange_identification: +---[RSA 4096]----+

debug1: ssh_exchange_identification: |      ..         |

debug1: ssh_exchange_identification: |       .o        |

debug1: ssh_exchange_identification: |  .    o.o       |

debug1: ssh_exchange_identification: | . . ooo .+      |

debug1: ssh_exchange_identification: |.o  = .oS. .     |

debug1: ssh_exchange_identification: |o..+ +.o.o       |

debug1: ssh_exchange_identification: | .*o*.. =.       |

debug1: ssh_exchange_identification: |.+EO=+  .+       |

debug1: ssh_exchange_identification: |o=*O*.. ..       |

debug1: ssh_exchange_identification: +----[SHA256]-----+

debug1: ssh_exchange_identification: Generating public/private ed25519 key pair.

debug1: ssh_exchange_identification: Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.

debug1: ssh_exchange_identification: Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub.

debug1: ssh_exchange_identification: The key fingerprint is:

debug1: ssh_exchange_identification: SHA256:nF4r3qmT2vqO8uSCvLCZP1rKK6k3ajwti6Dp/i9yqlU root@aubble.com

debug1: ssh_exchange_identification: The key's randomart image is:

debug1: ssh_exchange_identification: +--[ED25519 256]--+

debug1: ssh_exchange_identification: |                 |

debug1: ssh_exchange_identification: |                 |

debug1: ssh_exchange_identification: |                 |

debug1: ssh_exchange_identification: |       . .       |

debug1: ssh_exchange_identification: |    E   S .      |

debug1: ssh_exchange_identification: |   .   . . .     |

debug1: ssh_exchange_identification: |+o+.  . o..      |

debug1: ssh_exchange_identification: |B/*+oo +oo .     |

debug1: ssh_exchange_identification: |^%%=o=*=*oo      |

debug1: ssh_exchange_identification: +----[SHA256]-----+

Technical details

  • System: (NixOS: nixos-version, Ubuntu/Fedora: lsb_release -a, ...) 17.03.git.69e01ff (Gorilla)
  • Nix version: (run nix-env --version) nix-env (Nix) 1.11.4
  • Nixpkgs version: (run nix-instantiate --eval '<nixpkgs>' -A lib.nixpkgsVersion) "17.03.git.69e01ffM"
@nhooyr
Copy link
Contributor Author

nhooyr commented Oct 17, 2016

This is happening because of

nixpkgs/nixos/modules/services/networking/ssh/sshd.nix

Line 262 in cd673d3

ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N ""

I'll create a PR with a fix tomorrow.

@nhooyr nhooyr mentioned this issue Oct 17, 2016
Merged
7 tasks
@grahamc
Copy link
Member

grahamc commented Oct 18, 2016

Yikes! Seems like way over-sharing to me.

@Mic92 Mic92 closed this as completed in 1a74eed Oct 21, 2016
edolstra added a commit that referenced this issue Mar 31, 2017
@edolstra
sshd.nix: Alternative fix for #19589
1484e40 
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.

(cherry picked from commit 80b40fd)
edolstra added a commit that referenced this issue Mar 31, 2017
@edolstra
sshd.nix: Alternative fix for #19589
80b40fd 
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
@tomfitzhenry tomfitzhenry mentioned this issue May 20, 2024
Open
adrianpk added a commit to adrianpk/nixpkgs that referenced this issue May 31, 2024
@adrianpk
sshd.nix: Alternative fix for NixOS#19589
e5b2940 
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.

(cherry picked from commit 80b40fd)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: question 1.severity: security 9.needs: reporter feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grahamc @NeQuissimus @nhooyr