New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix rekeying with GSS-API key exchange #1065

Merged
merged 1 commit into from Sep 18, 2017

Conversation

Projects
None yet
2 participants
@SebastianDeiss
Contributor

SebastianDeiss commented Sep 18, 2017

A mandatory feature of the SSH protocol does not work with GSS-API key exchange. Any attempt to renegotiate the transport keys for a gss-kex type transport causes a MIC failure and closes transport. Because ssh initiates a rekey operation after the transfer of 1 GB data, this bug can be a serious problem.

In kex_gss.py the MIC of the transport session ID (H of the initial kex) was checked against the MIC of the new H created during rekey.
Now the MIC verification is always performed for the hash H created during kex.

This pull should fix the bug. Also, there is a test case for rekeying with GSS-API created by @akruis.

Sebastian Deiss
Fix rekeying with GSS-API key exchange
When GSS-API key exchange is used a rekey caused a GSS-API MIC
failure and closed the transport.
This happened because the MIC of the transport session ID
(H of the initial kex) was checked against the MIC of the new H
created during rekey.

@bitprophet bitprophet merged commit 8f4b177 into paramiko:2.2 Sep 18, 2017

1 of 3 checks passed

codecov/patch 0% of diff hit (target 75%)
Details
codecov/project 74.95% (-0.05%) compared to c4aed57
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bitprophet added a commit that referenced this pull request Sep 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment