Dropbear's usage of 'first_kex_packet_follows' may fail on broken SSH implementations
Matt Johnston
matt at ucc.asn.au
Thu Jan 20 13:40:52 AWST 2022
On Wed, Jan 19, 2022 at 04:23:29PM +0100, Thomas De Schampheleire wrote:
> I recently encountered connection issues when using dropbear as client (2020.81)
> to certain SSH implementations. In both cases, the issue was related to the host
> key verification. It took me a while to find the cause, and I send this mail
> mainly to help other Dropbear users that may have such problem.
>
> The symptoms I encountered were for one case (a proprietary SSH server
> implementation):
Hi Thomas,
Thanks for the write up. I _think_ in the case of Dropbear
as a client it might be possible to defer sending the key
exchange until the server's version identification is
received, without incurring any extra round trip latency. I
will see if I can implement that. That would use an
allowlist of implementations known to correctly handle
first_kex_packet_follows.
If you could let me know the proprietary version with
problems it would be handy (off list is fine).
Thanks,
Matt
More information about the Dropbear
mailing list