Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix rekeying with GSS-API key exchange #1065

Merged

Conversation

@SebastianDeiss
Copy link
Contributor

@SebastianDeiss SebastianDeiss commented Sep 18, 2017

A mandatory feature of the SSH protocol does not work with GSS-API key exchange. Any attempt to renegotiate the transport keys for a gss-kex type transport causes a MIC failure and closes transport. Because ssh initiates a rekey operation after the transfer of 1 GB data, this bug can be a serious problem.

In kex_gss.py the MIC of the transport session ID (H of the initial kex) was checked against the MIC of the new H created during rekey.
Now the MIC verification is always performed for the hash H created during kex.

This pull should fix the bug. Also, there is a test case for rekeying with GSS-API created by @akruis.

When GSS-API key exchange is used a rekey caused a GSS-API MIC
failure and closed the transport.
This happened because the MIC of the transport session ID
(H of the initial kex) was checked against the MIC of the new H
created during rekey.
@bitprophet bitprophet merged commit 8f4b177 into paramiko:2.2 Sep 18, 2017
1 of 3 checks passed
1 of 3 checks passed
codecov/patch 0% of diff hit (target 75%)
Details
codecov/project 74.95% (-0.05%) compared to c4aed57
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
bitprophet added a commit that referenced this pull request Sep 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants