Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: return error if other side version is older #46951

Open
ultram4rine opened this issue Jun 28, 2021 · 2 comments
Open

x/crypto/ssh: return error if other side version is older #46951

ultram4rine opened this issue Jun 28, 2021 · 2 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@ultram4rine
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.16.5 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

linux amd64

What did you do?

Dial to an SSH device with SSHv1 on board.

What did you expect to see?

An error which says that SSHv1 and SSHv2 incompatible

What did you see instead?

That error: ssh: handshake failed: ssh: invalid packet length, packet too large


To get this, in readVersion func, add check like this before return version (it's very close to how paramiko does that):

version := bytes.Split(versionString, []byte("-"))[1]
// RFC 4253, section 5.1 says that version '1.99' used to
// identify compability with older versions of protocol.
if !bytes.Equal(version, []byte("1.99")) && !bytes.Equal(version, []byte("2.0")) {
    return nil, fmt.Errorf("ssh: incompatible versions (%s and 2.0)", version)
}

Also, as I understand, RFC4253, section 5.2 says that client with newer version should close the connection to the older server when it happens.

I try to can send it to Gerrit with a test if you want.

Thanks.

@gopherbot gopherbot added this to the Proposal milestone Jun 28, 2021
@ianlancetaylor ianlancetaylor added the Proposal-Crypto Proposal related to crypto packages or other security issues label Jul 14, 2021
@ianlancetaylor ianlancetaylor added this to Incoming in Proposals (old) Jul 14, 2021
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/344129 mentions this issue: ssh: return error if other side version not 2.0 or 1.99

@rsc
Copy link
Contributor

rsc commented Oct 13, 2021

This doesn't need to be a proposal. Connecting to a pre-1.99 SSH is guaranteed to fail and should report a useful error.

@rsc rsc added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 13, 2021
@rsc rsc removed this from Incoming in Proposals (old) Oct 13, 2021
@rsc rsc modified the milestones: Proposal, Backlog Oct 13, 2021
@ultram4rine ultram4rine changed the title proposal: x/crypto/ssh: return error if other side version is older x/crypto/ssh: return error if other side version is older Oct 13, 2021
@ianlancetaylor ianlancetaylor removed Proposal Proposal-Crypto Proposal related to crypto packages or other security issues labels Oct 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

4 participants