[Bug 1197] Enhancement request to enable fips compatibility mode in OpenSSH

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jul 23 10:12:51 EST 2010 

https://bugzilla.mindrot.org/show_bug.cgi?id=1197

kpimm at yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kpimm at yahoo.com

--- Comment #7 from kpimm at yahoo.com  ---
I'm having likely the same problem as halsteaw.  Can someone please
help?  

I'm using openssh 5.3p1 (with the supplied patch) with
openssl-fips-1.1.2. 

Here's my debug output:

>sshd -p 7878 -d -d -d

debug2: load_server_config: filename /usr/local/etc/sshd_config
debug2: load_server_config: done config len = 121
debug2: parse_server_config: config /usr/local/etc/sshd_config len 121
debug3: /usr/local/etc/sshd_config:34 setting SyslogFacility AUTHPRIV
***IN FIPS MODE***
debug1: sshd version OpenSSH_5.3p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Forcing server key to 1152 bits to make it differ from host
key.
debug1: rexec_argv[0]='/root/kevin/openssh-5.3p1/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='7878'
debug1: rexec_argv[3]='-d'
debug1: rexec_argv[4]='-d'
debug1: rexec_argv[5]='-d'
socket: Address family not supported by protocol
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 7878 on 0.0.0.0.
Server listening on 0.0.0.0 port 7878.
Generating 1152 bit RSA key.
RSA key generation complete.
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 121
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
***IN FIPS MODE***
debug1: inetd sockets after dupping: 3, 3
Connection from 152.67.138.63 port 1418
debug1: Client protocol version 2.0; client software version
OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 1991
debug3: preauth child monitor started
debug2: FIPS rand reseeded
debug3: mm_request_receive entering
debug2: FIPS rand reseeded
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 512 bytes for a total of 538
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,aes128192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,aes128192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac_sha1,hmac-sha1-96
debug2: kex_parse_kexinit: hmac_sha1,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1-96
debug1: kex: client->server aes128-ctr hmac-sha1-96 none
debug2: mac_setup: found hmac-sha1-96
debug1: kex: server->client aes128-ctr hmac-sha1-96 none
Received disconnect from 152.67.138.63: 2: Packet corrupt
debug1: do_cleanup
debug1: do_cleanup

Here's the client output:

ssh -p 7878 -v -v -v

OpenSSH_5.3p1, OpenSSL 0.9.8l 5 Nov 2009
debug2: ssh_connect: needpriv 0
debug1: Connecting to smsbuild [152.67.140.52] port 7878.
debug1: Connection established.
debug1: identity file /home/kpimm/.ssh/identity type -1
debug3: Not a RSA1 key file /home/kpimm/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/kpimm/.ssh/id_rsa type -1
debug1: identity file /home/kpimm/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
Bad packet length 541477200.
Disconnecting: Packet corrupt
debug3: Wrote 40 bytes for a total of 853

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list