Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter

owl700 at gmail.com owl700 at gmail.com
Sat Nov 24 03:03:38 AEDT 2018


Il giorno ven 23 nov 2018 alle ore 14:04 Stuart Henderson
<stu at spacehopper.org> ha scritto:
>
> On 2018/11/23 12:23, owl700 at gmail.com wrote:
> > Il giorno gio 22 nov 2018 alle ore 21:24 Stuart Henderson
> > <stu at spacehopper.org> ha scritto:
> > >
> > > On 2018/11/22 19:55, owl700 at gmail.com wrote:
> > > > Hi, I have compatibility issues with the latest version of
> > > > openssh-server and an old dropbear client, the dopbear client stops at
> > > > preauth
> > > >
> > > > ov 22 14:34:03  myhostname sshd[3905]: debug1: Client protocol version
> > > > 2.0; client software version dropbear_0.46
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
> > > > SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: Enabling compatibility
> > > > mode for protocol 2.0
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug2: fd 3 setting O_NONBLOCK
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug2: Network child is on pid 3906
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: preauth child monitor started
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: privsep user:group
> > > > 106:65534 [preauth]
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: permanently_set_uid:
> > > > 106/65534 [preauth]
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: list_hostkey_types:
> > > > ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth]
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: send packet: type 20 [preauth]
> > > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent [preauth]
> > > >
> > > > Can you help?
> > >
> > > That ~13-year-old version of dbclient only has weak key exchange methods -
> > > diffie-hellman-group1-sha1, "OpenSSH supports this method, but does not
> > > enable it by default because is weak and within theoretical range of the
> > > so-called Logjam attack" and diffie-hellman-group1-dss, disabled by default
> > > in OpenSSH in 2015.
> > >
> > > Also only weak CBC-mode ciphers, disabled by default in 2014.
> > >
> > > The right answer is to run a newer client.
> > >
> > > If there's no way to do that, least worst is probably to connect to
> > > a jump host on the LAN (locked-down as much as possible), running
> > > modern OpenSSH sshd but with weak kex/ciphers enabled, in this
> > > case you could use something like
> > >
> > > KexAlgorithms +diffie-hellman-group1-sha1
> > > Ciphers +aes128-cbc
> > >
> > > This is still not recommended, but at least you could keep the weak
> > > crypto off the internet this way.
> >
> > Thanks Stuart
> >
> > I have tried to use the right KexAlgorithm and Ciphers, but dropbear
> > client fail always
> >
> > myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent [preauth]
> >
> > There aren't other debug messages
> >
> > Only for test purpose i have add all options i can in
> > /etc/sshd_config, but nothing, what am I doing wrong?
> >
> > Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
> > HostbasedAcceptedKeyTypes
> > ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> > HostKeyAlgorithms
> > ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> > KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256 at libssh.org
> > MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160 at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-md5-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-ripemd160-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> > PubkeyAcceptedKeyTypes
> > ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
>
> Not sure, but I *was* able to connect from dropbear 0.46 dbclient
> with just the two lines I mentioned added to sshd_config (and config
> reloaded of course).
>
> When things didn't match up I did have error messages displayed by
> the client, which are likely to be more useful than server-side messages
> in this case.

I have installed debian 8.11 with SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u7
With this SSH version,and the 2 lines,dropbear 0.46 client works

Thanks


More information about the openssh-unix-dev mailing list