Cisco vs. 6.9

Kash, Howard M CIV USARMY ARL (US) howard.m.kash.civ at mail.mil
Fri Jul 24 23:14:57 AEST 2015


> Many aging ciphers, hashes, and key exchanges are in the process of being
> retired.  <1kbit Diffie Hellman moduli have been removed as well in 6.9, I
> believe.
> 
> If the Ciscos rely on <1kbit DH moduli or SHA1/MD5 hash based proposals to
> work, that could be your problem.

We did not update the moduli file.


> A comparison of the two versions' output from: (ssh -Q kex ; ssh -Q mac ;
ssh
> -Q cipher) MAY help narrow it down

Outputs are identical other than 6.7 prints diffie-hellman-group1-sha1
twice.


> but I think you'll need to enable protocol
> debug logging on the server side and see which proposals that the Cisco is
> using that's no longer available in 6.9 (by default).  You may just need
to
> add two or three lines to 6.9's sshd_config file, i.e.,
> KexAlgorithms/MACs/Ciphers.

It doesn't appear to be a kex, mac, or cipher issue as the problem is
occurring after successful password authentication.  Here's the debug output
from initial connection to termination:

Connection from A.B.C.D port 57737 on E.F.G.H port 22
debug1: Client protocol version 2.0; client software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x40000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9p1
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 7677
debug3: preauth child monitor started
debug3: privsep user:group 99:99 [preauth]
debug1: permanently_set_uid: 99/99 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: AUTH STATE IS 0 [preauth]
debug2: kex_parse_kexinit:
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-
exchange-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-ni
stp384,ecdh-sha2-nistp521 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc
[preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc
[preauth]
debug2: kex_parse_kexinit: hmac-sha1 [preauth]
debug2: kex_parse_kexinit: hmac-sha1 [preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellma
n-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-rsa [preauth]
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[preauth]
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[preauth]
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[preauth]
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[preauth]
debug2: kex_parse_kexinit: none [preauth]
debug2: kex_parse_kexinit: none [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug1: REQUESTED ENC.NAME is '3des-cbc' [preauth]
debug1: kex: client->server 3des-cbc hmac-sha1 none [preauth]
debug1: REQUESTED ENC.NAME is '3des-cbc' [preauth]
debug1: kex: server->client 3des-cbc hmac-sha1 none [preauth]
debug2: bits set: 974/2048 [preauth]
debug1: expecting SSH2_MSG_KEXDH_INIT [preauth]
debug2: bits set: 1077/2048 [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: hostkey proof signature 0x7fd190fb2a60(271)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user username service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 1176
[list of tokens removed for brevity]
debug3: auth_shadow_acctexpired: today 16640 sp_expire -1 days left -16641
debug3: account expiration disabled
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for username [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_auth2_read_banner entering [preauth]
debug3: mm_request_send entering: type 10 [preauth]
debug3: mm_request_receive_expect entering: type 11 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_request_send entering: type 11
debug2: monitor_read: 10 used once, disabling now
debug1: userauth_send_banner: sent [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next
methods="gssapi-keyex,gssapi-with-mic,password" [preauth]
debug1: userauth-request for user username service ssh-connection method
password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 12 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 13 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 12
debug1: temporarily_use_uid: 934/55 (e=0/0)
debug1: restore_uid: 0/0
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 13
Accepted password for username from A.B.C.D port 57737 ssh2
debug1: monitor_child_preauth: username has been authenticated by privileged
process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_get_keystate: GOT new keys
debug3: mm_auth_password: user authenticated [preauth]
debug3: mm_request_send entering: type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug1: temporarily_use_uid: 934/55 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
User child is on pid 7678
debug1: permanently_set_uid: 934/55
debug3: monitor_apply_keystate: packet_set_state
debug2: set_newkeys: mode 0
debug2: set_newkeys: mode 1
debug1: ssh_packet_set_postauth: called
debug3: ssh_packet_set_state: done
debug3: notify_hostkeys: key 1: ssh-rsa SHA256:XXXXXXXXX
debug3: notify_hostkeys: key 2: ssh-dss SHA256:XXXXXXXXX
debug3: notify_hostkeys: sent 2 hostkeys
debug1: Entering interactive session for SSH2.
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 3 win 8192 max 4096
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
Connection closed by A.B.C.D
debug1: channel 0: free: server-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 server-session (t10 r3 i0/0 o0/0 fd -1/-1 cc -1)

debug1: session_close: session 0 pid 0
debug3: session_unused: session id 0 unused
debug1: do_cleanup
debug1: krb5_cleanup_proc called
Transferred: sent 3680, received 816 bytes
Closing connection to A.B.C.D port 57737
debug3: mm_request_send entering: type 50
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_term: tearing down sessions


Howard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5583 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150724/1e286d3f/attachment.bin>


More information about the openssh-unix-dev mailing list