COMMAND

    ssh

SYSTEMS AFFECTED

    ssh 1.2.27

PROBLEM

    Markus  Friedl  found  following.   While  working  on  OpenSSH he
    discovered the following defect  in ssh-1.2.27, OpenSSH and  other
    related implementations of SSH1:

        A malicious ssh-client can force a server to use the so called
        cipher "none" even if the server-policy does not permit this.

    In the SSH1 protocol, during connection setup, the server sends  a
    list of supported ciphers to the client.  This list represents the
    server policy  and includes  the ciphers  the server  is going  to
    accept.  Usually the client chooses one cipher from this list  and
    sends  its  choice  back  to  the  server.   However, in all these
    implementations, the  server does  _not_ check  whether the cipher
    chosen by the client is included in the list of previously offered
    ciphers.   According  to  README.CIPHERS  from  recent  ssh-1.2.2x
    releases  login  sessions  'encrypted'  with  cipher  "none"   are
    disabled by default:

        "This cipher is intended only  for testing, and should not  be
        enabled  for  normal  use.  Using  no  encryption  makes   SSH
        vulnerable  to  network-level  attacks  (such  as   connection
        hijacking).  There are also more subtle ways to exploit  using
        no encryption, and servers  should not allow such  connections
        at all except when testing the protocol.

        [...]

        You  can  allow  "none"  encryption  by giving the --with-none
        option to  configure. Using  no encryption  is not  allowed by
        default.

    This is wrong.   Because passphrase-less hostkeys are  'encrypted'
    with cipher  "none" the  code for  this cipher  is always compiled
    into the programs.  This way  the client is free to choose  "none"
    and no server will complain.

SOLUTION

    The current version OpenSSH-1.2.1 is not vulnerable.  The  obvious
    fix can  be found  below.   A patch  for the  versions of  OpenSSH
    shipped with OpenBSD-2.6 is available from

        http://www.openbsd.org/errata.html#sshjumbo

    Fix:

    Index: sshd.c
    ===================================================================
    --- sshd.c	1999/12/06 20:15:30	1.68
    +++ sshd.c	1999/12/07 13:38:05
    @@ -869,8 +869,11 @@
 	    /* Read clients reply (cipher type and session key). */
 	    packet_read_expect(&plen, SSH_CMSG_SESSION_KEY);
    
    -	/* Get cipher type. */
    +	/* Get cipher type and check whether we accept this. */
 	    cipher_type = packet_get_char();
    +
    +        if (!(cipher_mask() & (1 << cipher_type)))
    +		packet_disconnect("Warning: client selects unsupported cipher.");
    
 	    /* Get check bytes from the packet.  These must match those we
 	       sent earlier with the public key packet. */