Darren Tucker <dtucker at zip.com.au> writes:> On Tue, Nov 8, 2016 at 3:30 PM, Harry Putnam <reader at newsguy.com> wrote: > [...] >> After having 7.3p1 & 6.8p1 fail with same wording... I tried 6.7p1 and >> find it fails with what looks like the same problem but has slightly >> different wording. > > I set up the same versions (server:OpenSSH_6.6p1, OpenSSL 1.0.1s 1 > Mar 2016, client: OpenSSH_7.3p1, OpenSSL 1.0.1s 1 Mar 2016) on Linux > to try to reproduce it but failed. > > ./ssh -p 2022 -vvv -o ciphers=chacha20-poly1305 at openssh.com -o > kexalgorithms=diffie-hellman-group-exchange-sha256 localhost > [...] > debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 > debug1: kex: host key algorithm: ssh-ed25519 > debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: > <implicit> compression: none > debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: > <implicit> compression: none>From another post Darren Tucker wrote:> > That's because the 6.4 client doesn't do the problematic > > ssh-ed25519 host key algorithm. You'll probably see the same > > thing with the newer clients if you set HostKeyAlgorithms in the > > client's ssh_config like I suggested in my first reply (or > > remove/rename the ed25519 host key file on the server, I think > > that version is before you could set HostKeyAlgorithms).I'm sorry if by not doing that I tied you up in this thread but I did not understand how that would be done.> Can you tell me more about the server? You said it's Solaris, but is > it SPARC or x86? What OpenSSL version is it?x86 uname -a SunOS 2x 5.11 oi_151a9 i86pc i386 i86pc It is an off shoot of Oracle Solaris named openindiana. Running OpenSSH_6.6, OpenSSL 1.0.1u 22 Sep 2016. Provided from the OpenCSW project that builds some solaris pkgs. The last line of sshd_config must be the killer: `kexAlgorithms diffie-hellman-group-exchange-sha1' # grep -v '^#\|^$' /etc/ssh/sshd_config Protocol 2 Port 22 ListenAddress :: GatewayPorts no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes PrintMotd no KeepAlive yes SyslogFacility auth LogLevel info HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 KeyRegenerationInterval 3600 StrictModes yes LoginGraceTime 600 MaxAuthTries 6 MaxAuthTriesLog 3 PermitEmptyPasswords no PasswordAuthentication yes PermitRootLogin yes Subsystem sftp internal-sftp IgnoreRhosts yes RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes kexAlgorithms diffie-hellman-group-exchange-sha1 ------- ------- ---=--- ------- ------- Now having reinstalled ssh-7.3p1-r7 with gentoo's build patches and with the: `kexAlgorithms diffie-hellman-group-exchange-sha1' Line removed It all works. Does seem odd that several other ssh 6.6p1 on the lan had no trouble connecting to 2x even with the kexAlgorithms line in its config. Sorry about the line noise . . . gv harry > ssh -vv 2x OpenSSH_7.3p1-hpn14v11, OpenSSL 1.0.2j 26 Sep 2016 [...] debug1: Next authentication method: publickey debug1: Trying private key: /home/harry/.ssh/id_rsa debug1: Trying private key: /home/harry/.ssh/id_dsa debug1: Trying private key: /home/harry/.ssh/id_ed25519 debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password
On Wed, Nov 9, 2016 at 12:02 AM, Harry Putnam <reader at newsguy.com> wrote:> Darren Tucker <dtucker at zip.com.au> writes:[...]>> Can you tell me more about the server? You said it's Solaris, but is >> it SPARC or x86? What OpenSSL version is it? > uname -a SunOS 2x 5.11 oi_151a9 i86pc i386 i86pc[...]> Running OpenSSH_6.6, OpenSSL 1.0.1u 22 Sep 2016.I built my 6.6p1 with OpenSSL 1.0.1u but still failed to reproduce the problem.> Provided from the OpenCSW project that builds some solaris pkgs. > > The last line of sshd_config must be the killer: > `kexAlgorithms diffie-hellman-group-exchange-sha1'diffie-hellman-group-exchange-sha1 is one of the oldest kex methods (>10 years) so I'm surprised that it is related to the problem. There's still a problem in there somewhere, but at this stage I have no idea where it is (openssh, openssl, libraries, compiler, toolchain...) -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren Tucker <dtucker at zip.com.au> writes:> On Wed, Nov 9, 2016 at 12:02 AM, Harry Putnam <reader at newsguy.com> wrote: >> Darren Tucker <dtucker at zip.com.au> writes: > [...] >>> Can you tell me more about the server? You said it's Solaris, but is >>> it SPARC or x86? What OpenSSL version is it? >> uname -a SunOS 2x 5.11 oi_151a9 i86pc i386 i86pc > [...] >> Running OpenSSH_6.6, OpenSSL 1.0.1u 22 Sep 2016. > > I built my 6.6p1 with OpenSSL 1.0.1u but still failed to reproduce the problem. > >> Provided from the OpenCSW project that builds some solaris pkgs. >> >> The last line of sshd_config must be the killer: >> `kexAlgorithms diffie-hellman-group-exchange-sha1' > > diffie-hellman-group-exchange-sha1 is one of the oldest kex methods > (>10 years) so I'm surprised that it is related to the problem. > > There's still a problem in there somewhere, but at this stage I have > no idea where it is (openssh, openssl, libraries, compiler, > toolchain...)I kind of hid some info in the message you are replying to above, below the ssh -vv output. Maybe you didn't notice it. After removing the diffie hellman line, (it was not in the sshd_config as installled but something I had added way back)I was able to return to 7.3_p1-r7 the gentoo monified version that started this thread with no problems at all. So for the benefit of any searchers who stumble across this thread, removing that line seems to have removed the problem that was causing my gentoo host to fail when connecting to my solaris host. Now, I'm back where all lan hosts can talk to each other over ssh. Thanks for helping me sort that out... I've been hassling with it for a good while, and probably would have continued to stumble around a good while longer without your clear thinking and guidance.