Problem SSHing to HP ILO SSH-2.0-mpSSH_0.1.0 with 5.8p1

Petr Cerny pcerny at suse.cz
Sat May 21 02:00:05 EST 2011 

Damien Miller wrote:
> On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:
> 
>> On 18. mai 2011 23:15, Damien Miller wrote:
>> > On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:
>> > 
>> > > Hi everyone,
>> > > We are recently seeing a problem with OpenSSH 5.8p1 and SSH to ILO cards
>> > > running SSH-2.0-mpSSH_0.1.0.
>> > > This has previously worked with OpenSSH 5.5p1 (last known version for us
>> > > to
>> > > work).
>> > > 
>> > > ssh ilohost -vvv gives the following on 5.8p1:
>> > Could you try
>> > 
>> > ssh -vvv -oKexAlgorithms=diffie-hellman-group1-sha1 ilohost?
>> > 
>> > If that doesn't work, try adding "-oServerHostkeyAlgorithms=ssh-rsa"
>> > 
>> Aha,
>> Heres something;
>> -oKexAlgorithms=diffie-hellman-group1-sha1 did not work.
>> -oServerHostkeyAlgorithms=ssh-rsa wasnt recognized as an option, but
>> -oHostKeyAlgorithms=ssh-rsa on the other hand, did infact work!
> 
> ok, so HP's ILO SSH implementation is junk. Harmlessly ignoring unsupported
> algorithms is the very point of the initial SSH negotiation, so that the
> HP code gets this really basic thing wrong is hugely worrying - if they
> can't get the simple stuff right, what else have they botched?

mpSSH is not really the best SSH implementation around - among other
things it seems to fail when requested to set up an environment
variable, so be careful not to SendEnv anything to HP iLO.

Just for the record - we've had this issue reported from one of our
customers and the solution found has been:

$ ssh -vvv \
  -o PasswordAuthentication=yes \
  -o ChallengeResponseAuthentication=no \
  -o GSSAPIAuthentication=no \
  -o HostbasedAuthentication=no \
  -o PubkeyAuthentication=no \
  -o RSAAuthentication=no \
  -o Compression=no \
  -o ForwardAgent=no \
  -o ForwardX11=no \
  -o Ciphers=aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128 \
  -o HostKeyAlgorithms=ssh-rsa,ssh-dss \
  user at HP_iLO

Along with the patch (for v 5.1p1-):
date: 2008/11/03 08:20:14;
   - markus at cvs.openbsd.org 2008/09/11 14:22:37
     [compat.c compat.h nchan.c ssh.c]
     only send eow and no-more-sessions requests to openssh 5 and newer;
     fixes interop problems with broken ssh v2 implementations; ok djm@


Kind regards
	Petr
-- 
Petr Cerny
Mozilla/OpenSSH maintainer for SUSE Linux

More information about the openssh-unix-dev mailing list