SSH Conections being dropped.

Austin Gonyou austin at coremetrics.com
Sat Mar 24 04:08:29 EST 2001


Did you look at the faq page on the openssh.com site? Here is what you
might be experiencing:
----------Begin FAQ Info-----------
2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?

SSH 2.3 and earlier versions contain a flaw in their HMAC implementation.
Their code was not supplying the full data block output from the digest,
and instead always provided 128 bits. For longer digests, this caused SSH
2.3 to not interoperate with OpenSSH.

OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Future versions of SSH
will have this bug fixed. Or you can add the following to ssh 2.3's
/etc/sshd_config.

Mac hmac-md5

In addition to the flawed HMAC implementation, problems in interoperation
have been seen due to OpenSSH not yet supporting the option of rekeying.
However SSH 2.3 tries to negotiate this feature, and you might experience
connection freezes or see the error message "Dispatch protocol error: type
20". To solve this problem, either upgrade to SSH 2.4 or disable rekeying
by adding the following to your commercial SSH 2.3's sshd_config.

RekeyIntervalSeconds 0

----------End FAQ Info---------


Hope this helps.
-- 
Austin Gonyou
Systems Architect
Coremetrics, Inc.
Phone: 512-796-9023
email: austin at coremetrics.com

On Fri, 23 Mar 2001, Scott Wares wrote:

> We are having problems with SSH shells disconnecting.
>
> We are replacing a older version of SSH (Non-Comercial Version which some
> one installed in error, but it was working fine.) & Had been running
> OpenSSH 2.3.0p? which had similar problems, some of the errors I was
> seeing went away with OpenSSH 2.5.2.p1.
>
> compiled against openssl-0.9.6, with SUNWspro & GCC281 on Solaris 2.8 &
> Solaris 2.6, both have the same problem.
>
> 133$ uname -a
> SunOS dtadmin 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250
>
> 134$ showrev -p | wc -l
>      218
>
> Mar 22 09:29:24 dtadmin sshd[11783]: [ID 800047 auth.error] error: Hm,
> dispatch protocol error: type 30 plen 132
> Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.error] error: Hm,
> dispatch protocol error: type 20 plen 136
> Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.crit]
> fatal: dispatch_protocol_error: rekeying is not supported
>
> 265$ ssh -v dtadmin
> OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
> debug1: Seeded RNG with 39 bytes from programs
> debug1: Seeded RNG with 3 bytes from system calls
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug1: ssh_connect: getuid 6400 geteuid 0 anon 1
> debug1: Connecting to dtadmin [151.119.10.106] port 22.
> debug1: Connection established.
> debug1: identity file /home/user42/swares/.ssh/identity type 0
> debug1: unknown identity file /home/user42/swares/.ssh/id_rsa
> debug1: identity file /home/user42/swares/.ssh/id_rsa type -1
> debug1: unknown identity file /home/user42/swares/.ssh/id_dsa
> debug1: identity file /home/user42/swares/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_2.5.2p1
> debug1: match: OpenSSH_2.5.2p1 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_2.5.2p1
> debug1: send KEXINIT
> debug1: done
> debug1: wait KEXINIT
> debug1: got
> kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug1: got kexinit: ssh-dss
> debug1: got
> kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
> debug1: got
> kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
> debug1: got
> kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug1: got
> kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug1: got kexinit: none,zlib
> debug1: got kexinit: none,zlib
> debug1: got kexinit:
> debug1: got kexinit:
> debug1: first kex follow: 0
> debug1: reserved: 0
> debug1: done
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
> debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
> debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP.
> debug1: dh_gen_key: priv key bits set: 133/256
> debug1: bits set: 998/2049
> debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT.
> debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
> debug1: Got SSH2_MSG_KEXDH_REPLY.
> debug1: Host 'dtadmin' is known and matches the DSA host key.
> debug1: Found key in /home/user42/swares/.ssh/known_hosts2:1
> debug1: bits set: 1018/2049
> debug1: len 55 datafellows 0
> debug1: ssh_dss_verify: signature correct
> debug1: Wait SSH2_MSG_NEWKEYS.
> debug1: GOT SSH2_MSG_NEWKEYS.
> debug1: send SSH2_MSG_NEWKEYS.
> debug1: done: send SSH2_MSG_NEWKEYS.
> debug1: done: KEX2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can
> continue: publickey,password,keyboard-interactive
> debug1: next auth method to try is publickey
> debug1: try privkey: /home/user42/swares/.ssh/id_rsa
> debug1: try privkey: /home/user42/swares/.ssh/id_dsa
> debug1: next auth method to try is password
> swares at dtadmin's password:
> debug1: ssh-userauth2 successful: method password
> debug1: channel 0: new [client-session]
> debug1: send channel open 0
> debug1: Entering interactive session.
> debug1: client_init id 0 arg 0
> debug1: channel request 0: shell
> debug1: channel 0: open confirm rwindow 0 rmax 16384
>
> Scott Wares, Unix SysAdmin
> Tier II, Desktop Support
> 303-707-5479, swares at qwest.com
>
>






More information about the openssh-unix-dev mailing list