one host only: ssh_dispatch_run_fatal

Harry Putnam reader at newsguy.com
Wed Nov 9 00:02:12 AEDT 2016


Darren Tucker <dtucker at zip.com.au> writes:

> On Tue, Nov 8, 2016 at 3:30 PM, Harry Putnam <reader at newsguy.com> wrote:
> [...]
>> After having 7.3p1 & 6.8p1 fail with same wording... I tried 6.7p1 and
>> find it fails with what looks like the same problem but has slightly
>> different wording.
>
> I set up the same versions (server:OpenSSH_6.6p1, OpenSSL 1.0.1s  1
> Mar 2016, client: OpenSSH_7.3p1, OpenSSL 1.0.1s  1 Mar 2016) on Linux
> to try to reproduce it but failed.
>
> ./ssh -p 2022 -vvv -o ciphers=chacha20-poly1305 at openssh.com -o
> kexalgorithms=diffie-hellman-group-exchange-sha256 localhost
> [...]
> debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
> debug1: kex: host key algorithm: ssh-ed25519
> debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none
> debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none

>From another post Darren Tucker wrote:

> > That's because the 6.4 client doesn't do the problematic
> > ssh-ed25519 host key algorithm.  You'll probably see the same
> > thing with the newer clients if you set HostKeyAlgorithms in the
> > client's ssh_config like I suggested in my first reply (or
> > remove/rename the ed25519 host key file on the server, I think
> > that version is before you could set HostKeyAlgorithms).

I'm sorry if by not doing that I tied you up in this thread but I did
not understand how that would be done.

> Can you tell me more about the server?  You said it's Solaris, but is
> it SPARC or x86?  What OpenSSL version is it?

x86

uname -a SunOS 2x 5.11 oi_151a9 i86pc i386 i86pc

It is an off shoot of Oracle Solaris named openindiana.

Running OpenSSH_6.6, OpenSSL 1.0.1u  22 Sep 2016.

Provided from the OpenCSW project that builds some solaris pkgs.

The last line of sshd_config must be the killer:
  `kexAlgorithms diffie-hellman-group-exchange-sha1'

# grep -v '^#\|^$' /etc/ssh/sshd_config
Protocol 2
Port 22
ListenAddress ::
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries    6
MaxAuthTriesLog 3
PermitEmptyPasswords no
PasswordAuthentication yes
PermitRootLogin yes
Subsystem       sftp    internal-sftp
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
kexAlgorithms diffie-hellman-group-exchange-sha1

-------       -------       ---=---       -------       -------

Now having reinstalled ssh-7.3p1-r7 with gentoo's build patches
and with the:
  `kexAlgorithms diffie-hellman-group-exchange-sha1'

Line removed It all works.
Does seem odd that several other ssh 6.6p1 on the lan had no trouble
connecting to 2x even with the kexAlgorithms line in its config.

Sorry about the line noise . . .

gv harry > ssh -vv 2x

OpenSSH_7.3p1-hpn14v11, OpenSSL 1.0.2j  26 Sep 2016

[...]

debug1: Next authentication method: publickey
debug1: Trying private key: /home/harry/.ssh/id_rsa
debug1: Trying private key: /home/harry/.ssh/id_dsa
debug1: Trying private key: /home/harry/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password



More information about the openssh-unix-dev mailing list