Package: python-paramiko Version: 1.7.7.1-2 Severity: normal i've had reports about paramiko bungling a self-initiated rekey operation by not waiting long enough for the other party to respond before it throws an exception (see #660378).
lines 374++ of packet.py show that paramiko waits no more than 20 packets until after sending a key exchange request before it gives up. section 7.1 of the ssh rfc (https://tools.ietf.org/html/rfc4253#section-7.1) says quite explicitely that this is not the way to go: Note, however, that during a key re-exchange, after sending a SSH_MSG_KEXINIT message, each party MUST be prepared to process an arbitrary number of messages that may be in-flight before receiving a SSH_MSG_KEXINIT message from the other party. with a large tcp window, a high-rtt path and a busy ssh session i'm quite certain that 20+ packets can be 'in-flight' when paramiko wants a rekey. to me it looks as if this packet count limit should either be raised substantially, or the code in question rewritten completely with a different heuristic for when to give up. regards az -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
