openssh 2.2.0p1 fails with openssl 0.9.6-beta1

Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE
Fri Sep 15 03:23:30 EST 2000 

On Wed, Sep 13, 2000 at 09:13:26AM +0000, Graham Murray wrote:
> On upgrading to openssl 0.9.6-beta1, I find that openssh 2.2.0p1 fails
> to connect.

I did some more experiments and also saw the problems.

They occur when using a 0.9.6-beta client to connect to 0.9.5a and 0.9.6-beta
servers.
They also occur when using a 0.9.5a client connecting to a 0.9.6-beta
server.
Connections fail with "dsa_verify: signature incorrect".

I have completely recompiled and re-linked the packages, so that binary
compatibility of the OpenSSL library is not an issue.

I have crossposted this message to openssh-unix-dev, as I don't know,
whether this is caused by the new OpenSSL release or a problem with
OpenSSH calling it.

!! In any case it is a kind of show-stopper!!

Unfortunately I don't know enough about the SSH protocol, so I cannot offer
my help this time :-(

Best regards,
	Lutz

Rest of original message:
> I get the following log
>  SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0.
> Compiled with SSL (0x00906001).
> debug: Reading configuration data /usr/local/etc/ssh_config
> debug: Applying options for *
> debug: Seeding random number generator
> debug: ssh_connect: getuid 500 geteuid 0 anon 0
> debug: Connecting to gateway.webwayone.demon.co.uk [192.168.50.2] port 22.
> debug: Allocated local port 1023.
> debug: Connection established.
> debug: Remote protocol version 2.0, remote software version OpenSSH_2.2.0p1
> Enabling compatibility mode for protocol 2.0
> debug: Local version string SSH-2.0-OpenSSH_2.2.0p1
> debug: Seeding random number generator
> debug: send KEXINIT
> debug: done
> debug: wait KEXINIT
> debug: got kexinit: diffie-hellman-group1-sha1
> debug: got kexinit: ssh-dss
> debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
> debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
> debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com
> debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com
> debug: got kexinit: zlib,none
> debug: got kexinit: zlib,none
> debug: got kexinit: 
> debug: got kexinit: 
> debug: first kex follow: 0 
> debug: reserved: 0 
> debug: done
> debug: kex: server->client 3des-cbc hmac-sha1 none
> debug: kex: client->server 3des-cbc hmac-sha1 none
> debug: Sending SSH2_MSG_KEXDH_INIT.
> debug: bits set: 501/1024
> debug: Wait SSH2_MSG_KEXDH_REPLY.
> debug: Got SSH2_MSG_KEXDH_REPLY.
> debug: Host 'gateway.webwayone.demon.co.uk' is known and matches the DSA host key.
> debug: bits set: 509/1024
> debug: len 55 datafellows 0
> debug: dsa_verify: signature incorrect
> dsa_verify failed for server_host_key
> debug: Calling cleanup 0x805e760(0x0)
> 
> Using openssl 0.9.5a there are no problems (I have a log of a
> connection using this, if this will help)
> 
> The remote system is running openssh 2.2.0p1 with openssl 0.9.5a.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users at openssl.org
> Automated List Manager                           majordomo at openssl.org

-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

More information about the openssh-unix-dev mailing list