RE: libssh 0.8.4 with Cisco router

[Meng Hourk Tan <mtan@xxxxxxxxxx>]

Hello,

I had the same issue with some Cisco router:

Some Cisco IOS do not send kex if they send the banner last (libssh as a client sent it first).

In this situation, both libssh client and Cisco IOS server hang.

Libssh client should send kex init as soon as banners are exchanged.


I attached a patch that fix this issue.

Regards,


Meng

________________________________
De : jijo thomas <jijo7thomas@xxxxxxxxx>
Envoyé : mardi 23 octobre 2018 08:48:02
À : libssh@xxxxxxxxxx
Objet : libssh 0.8.4 with Cisco router

Hi,

I compiled libssh 0.8.4 in Windows

Then ran into a strange issue with libssh 0.8.4 while working with Cisco router (ios ver 15.4) while executing the sample exec.c from the bundle.

The ssh connection to the device is getting established alternatively. ie) It fails once at analyzing banner. if I try again, it'll work fine.

Following is the log.

Attempt 1
exec.exe x.x.x.x
[2018/10/23 11:43:55.012458, 2] ssh_connect:  libssh 0.8.4 (c) 2003-2018 Aris Ad
amantiadis, Andreas Schneider and libssh contributors. Distributed under the LGP
L, please refer to COPYING file for information about your rights, using threadi
ng threads_winlock
[2018/10/23 11:43:55.015458, 2] ssh_socket_connect:  Nonblocking connection sock
et: 196
[2018/10/23 11:43:55.016458, 2] ssh_connect:  Socket connecting, now waiting for
 the callbacks to work
[2018/10/23 11:43:55.531488, 1] socket_callback_connected:  Socket connection ca
llback: 1 (0)
[2018/10/23 11:43:56.128522, 1] ssh_client_connection_callback:  SSH server bann
er: SSH-2.0-Cisco-1.25
[2018/10/23 11:43:56.129522, 1] ssh_analyze_banner:  Analyzing banner: SSH-2.0-C
isco-1.25
[2018/10/23 11:44:05.018031, 1] ssh_connect:  Timeout connecting to x.x.x.x
Connection failed : Timeout connecting to x.x.x.x

Attempt 2

exec.exe x.x.x.x
[2018/10/23 11:59:31.880044, 2] ssh_connect:  libssh 0.8.4 (c) 2003-2018 Aris Ad
amantiadis, Andreas Schneider and libssh contributors. Distributed under the LGP
L, please refer to COPYING file for information about your rights, using threadi
ng threads_winlock
[2018/10/23 11:59:31.882044, 2] ssh_socket_connect:  Nonblocking connection sock
et: 196
[2018/10/23 11:59:31.883044, 2] ssh_connect:  Socket connecting, now waiting for
 the callbacks to work
[2018/10/23 11:59:32.391073, 1] socket_callback_connected:  Socket connection ca
llback: 1 (0)
[2018/10/23 11:59:32.899102, 1] ssh_client_connection_callback:  SSH server bann
er: SSH-2.0-Cisco-1.25
[2018/10/23 11:59:32.900102, 1] ssh_analyze_banner:  Analyzing banner: SSH-2.0-C
isco-1.25
[2018/10/23 11:59:32.905103, 2] ssh_kex_select_methods:  Negotiated diffie-hellm
an-group14-sha1,ssh-rsa,aes256-ctr,aes256-ctr,hmac-sha1,hmac-sha1,none,none,,
[2018/10/23 11:59:34.053168, 2] ssh_packet_dh_reply:  Received SSH_KEXDH_REPLY
[2018/10/23 11:59:34.064169, 2] ssh_client_dh_reply:  SSH_MSG_NEWKEYS sent
[2018/10/23 11:59:34.561197, 2] ssh_packet_newkeys:  Received SSH_MSG_NEWKEYS
[2018/10/23 11:59:34.563197, 2] ssh_packet_newkeys:  Signature verified and vali
d
[2018/10/23 11:59:35.793268, 1] ssh_packet_userauth_failure:  Access denied for
'none'. Authentication that can continue: publickey,keyboard-interactive,passwor
d
[2018/10/23 11:59:35.794268, 2] ssh_packet_userauth_failure:  Access denied for
'none'. Authentication that can continue: publickey,keyboard-interactive,passwor
d

.
.
.

[2018/10/23 11:59:35.803268, 2] ssh_userauth_publickey_auto:  Tried every public
 key, none matched
Password:
[2018/10/23 11:59:38.955449, 2] channel_open:  Creating a channel 43 with 64000
window and 32768 max packet
[2018/10/23 11:59:39.463478, 2] ssh_packet_channel_open_conf:  Received a CHANNE
L_OPEN_CONFIRMATION for channel 43:3
[2018/10/23 11:59:39.464478, 2] ssh_packet_channel_open_conf:  Remote window : 8
192, maxpacket : 4096
[2018/10/23 11:59:39.974507, 2] channel_request:  Channel request exec success
[2018/10/23 11:59:39.975507, 2] grow_window:  growing window (channel 43:3) to 1
280000 bytes

22:29:39.716 PST Mon Oct 22 2018



From ec07dcd54dd677dc9647f9e4c179127a26298b59 Mon Sep 17 00:00:00 2001
From: Meng Tan <mtan@xxxxxxxxxx>
Date: Tue, 23 Oct 2018 18:01:17 +0200
Subject: [PATCH] client: send kex as soon as banners are exchanged

Signed-off-by: Meng Tan <mtan@xxxxxxxxxx>
---
 src/client.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/client.c b/src/client.c
index 859a86c6..74c37d5e 100644
--- a/src/client.c
+++ b/src/client.c
@@ -411,6 +411,12 @@ static void ssh_client_connection_callback(ssh_session session)

             ssh_packet_set_default_callbacks(session);
             session->session_state = SSH_SESSION_STATE_INITIAL_KEX;
+            if (ssh_set_client_kex(session) < 0) {
+                goto error;
+            }
+            if (ssh_send_kex(session, 0) < 0) {
+                goto error;
+            }
             set_status(session, 0.5f);

             break;
@@ -420,14 +426,17 @@ static void ssh_client_connection_callback(ssh_session session)
         case SSH_SESSION_STATE_KEXINIT_RECEIVED:
             set_status(session,0.6f);
             ssh_list_kex(&session->next_crypto->server_kex);
-            if (ssh_set_client_kex(session) < 0) {
-                goto error;
+            if (session->next_crypto->client_kex.methods[0] == NULL) {
+                /* in rekeying state if next_crypto client_kex is empty */
+                if (ssh_set_client_kex(session) < 0) {
+                    goto error;
+                }
+                if (ssh_send_kex(session, 0) < 0) {
+                    goto error;
+                }
             }
             if (ssh_kex_select_methods(session) == SSH_ERROR)
                 goto error;
-            if (ssh_send_kex(session, 0) < 0) {
-                goto error;
-            }
             set_status(session,0.8f);
             session->session_state=SSH_SESSION_STATE_DH;
             if (dh_handshake(session) == SSH_ERROR) {
--
2.11.0