sshd 5.6p1 does not accept connections in fips mode

Mon Sep 26 08:10:26 EST 2011

Hi,

I was trying to run sshd after applying the fips patches mentioned in

http://www.gossamer-threads.com/lists/engine?do=post_attachment;postatt_id=1835;list=openssh

but for some reason sshd refuses to accept the connection. I guess I do 
something terribly wrong. Is there a reason that this is bound to fail?

These 5.6 patches were the most recent I could find. Are there any fips 
patches for openssh 5.7, 5.8 or 5.9?

Thanks
Mats Tande

Here's what sshd says:

root at nougat /local/fips $ /local/fips/sbin/sshd -Dedddp2222
debug2: load_server_config: filename /local/fips/etc/sshd_config
debug2: load_server_config: done config len = 164
debug2: parse_server_config: config /local/fips/etc/sshd_config len 164
debug3: /local/fips/etc/sshd_config:111 setting Subsystem sftp 
/local/fips/libexec/sftp-server
***IN FIPS MODE***
debug1: sshd version OpenSSH_5.6p1
debug3: Not a RSA1 key file /local/fips/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /local/fips/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/local/fips/sbin/sshd'
debug1: rexec_argv[1]='-Dedddp2222'
debug3: oom_adjust_setup
Set /proc/self/oom_adj from 0 to -17
debug2: fd 3 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 164
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config: config rexec len 164
debug3: rexec:111 setting Subsystem sftp 
/local/fips/libexec/sftp-server
***IN FIPS MODE***
debug1: sshd version OpenSSH_5.6p1
debug3: Not a RSA1 key file /local/fips/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /local/fips/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 3, 3
Connection from 10.78.0.8 port 39056
debug1: Client protocol version 2.0; client software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug2: fd 3 setting O_NONBLOCK
debug2: FIPS rand reseeded
debug2: FIPS rand reseeded
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug2: Network child is on pid 27955
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: do_cleanup

I test this using ssh, like this:

mats at nougat ~ $ /local/fips/bin/ssh -vvvp2222 nougat
OpenSSH_5.6p1, OpenSSL FIPS Object Module v1.2
debug1: Reading configuration data /local/fips/etc/ssh_config
debug1: *** IN FIPS MODE ***
debug2: ssh_connect: needpriv 0
debug1: Connecting to nougat [10.78.0.8] port 2222.
debug1: Connection established.
debug3: Not a RSA1 key file /home/mats/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/mats/.ssh/id_rsa type 1
debug1: identity file /home/mats/.ssh/id_rsa-cert type -1
debug1: identity file /home/mats/.ssh/id_dsa type -1
debug1: identity file /home/mats/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer