> It does not seem to honor "ReKeyLimit 0G 1H" in my case. Have you tried "RekeyLimit 0" on _both_ ends?
Harald. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1608965 Title: ssh GSSAPI rekey failure Status in openssh package in Ubuntu: Triaged Bug description: If I have ssh set up using GSSAPI with rekeying enabled, then the connection fails on rekey, and tries to do host-based verification 'mid-session'. Steps to reproduce: $ ssh -vvv server.example.com <snip...> debug1: Authenticating to ssh.example.com:22 as 'user' <snip...> debug2: local client KEXINIT proposal debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c <snip...> debug2: peer server KEXINIT proposal debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 <snip...> Last login: Tue Aug 02 10:47:20 2016 from foo # Then do 'kinit' on the client to get a new ticket... debug1: need rekeying debug1: SSH2_MSG_KEXINIT sent debug1: rekeying in progress debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 debug2: host key algorithms: ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,null [...] debug2: peer server KEXINIT proposal debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 [...] debug1: kex: algorithm: curve25519-sha...@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: rekeying in progress debug1: rekeying in progress debug1: Server host key: ecdsa-sha2-nistp256 SHA256:w7yxbCZNBX4d5EAgmCrFYa3XUpDjvWiDOw4/YOY9q8E The authenticity of host 'server.example.com (10.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:w7yxbCZNBX4d5EAgmCrFYa3XUpDjvWiDOw4/YOY9q8E. Are you sure you want to continue connecting (yes/no)? Host key verification failed. It looks like the list of KEX algorithms differs between the initial connection, and the rekeying. This behaviour seems to occur with a client running 16.04 (openssh- client 1:7.2p2-4ubuntu1) but not on 15.10 (openssh-client 1:6.9p1-2ubuntu0.2). ssh_config is as follows: HashKnownHosts no GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIRenewalForcesRekey yes GSSAPITrustDNS yes GSSAPIKeyExchange yes ForwardX11 yes ForwardX11Trusted yes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1608965/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
