topic Re: openssh problem on UX-11 in Operating System - HP-UX

openssh problem on UX-11

Brian Bergstrand — Wed, 11 Apr 2001 19:33:25 GMT

I installed OpenSSH 2.5.1 from the depot I got from the UX archive at <>. The problem is, I can only connect to the server in ssh 1 mode. Using ssh2 mode (with a DSA key) results in a 'Bad packet length' error.

The server is running UX 11.11 TCOE and OpenSSL 0.9.6 24 Sep 2000. I have tried connecting from RedHat 7 and Mac OS X both running OpenSSH 2.5.2p2. and OpenSSL 0.9.5a 1 Apr 2000.

Here is a debug session:
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1
debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug1: got kexinit: ssh-dss
debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 1046/2049
debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug1: Got SSH2_MSG_KEXDH_REPLY.
debug1: Host '131.156.180.18' is known and matches the DSA host key.
debug1: Found key in /Users/brian/.ssh/known_hosts2:3
debug1: bits set: 1037/2049
debug1: len 55 datafellows 0
debug1: ssh_dss_verify: signature correct
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: send SSH2_MSG_SERVICE_REQUEST
58 ee 47 6d ee 5e cc 79 37 b1 b0 6d 52 ee ae 4e
Disconnecting: Bad packet length 1492010861.

Anyone know what is going on? I would like to upgrade to OpenSSH 2.5.2p2 on the server, but I can't find a depot for it anywhere.

Thanks

Re: openssh problem on UX-11

Vincent Stedema — Thu, 12 Apr 2001 06:51:59 GMT

Brian,

Do you have a "HostKey /etc/ssh_host_dsa_key" entry in your sshd_config?

It is needed by OpenSSH version 2.5.1..

Vincent

Re: openssh problem on UX-11

Brian Bergstrand — Thu, 12 Apr 2001 12:32:46 GMT

Yes, I do have a DSA key file. Here are the relevant bits of my sshd_config file.

Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /opt/openssh2/etc/ssh_host_key
HostKey /opt/openssh2/etc/ssh_host_dsa_key
#HostKey /opt/openssh2/etc/ssh_host_rsa_key
ServerKeyBits 1024

All of the listed files exist in the dir..

Thanks.

Re: openssh problem on UX-11

Vincent Stedema — Thu, 12 Apr 2001 13:42:14 GMT

Brian,

What happens if you put a comment before the "HostKey /opt/openssh2/etc/ssh_host_key" entry and just use the "HostKey /opt/openssh2/etc/ssh_host_dsa_key" entry?

Vincent

Re: openssh problem on UX-11

Brian Bergstrand — Thu, 12 Apr 2001 14:36:59 GMT

If I comment out the ssh_host_key file, the ssh 1 protocol is disabled (what I though would happen). The server will then only allow protocol 2 connections (which don't work).

Re: openssh problem on UX-11

Alexander Peslyak — Thu, 12 Apr 2001 20:47:05 GMT

Here's the story:

Until recently (2.5.2+), OpenSSH had a bug in AES support on big-endian architectures (such as PA-RISC under HP-UX). However, the OpenSSH client prior to 2.5.2 used 3DES rather than AES by default (all this applies to SSH-2 only). That default was changed to the use of AES between 2.5.1 and 2.5.2. Then, after 2.5.2p2, there was one more relevant change: the OpenSSH client will now detect the buggy server versions (2.3.0 to 2.5.1) and not use AES/Rijndael when speaking to them:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/compat.c.diff?r1=1.39&r2=1.40

(this is only a small part of the change).

Red Hat incorporates this later patch (but not its final version) in their 2.5.2p2-1.7 errata package.

So your options are:

1. Tell the client to use a cipher other than AES/Rijndael. You can use the "-c 3des" command line option, or "Cipher 3des" in either /etc/ssh_config (possibly /etc/ssh/ssh_config) or ~/.ssh/config.

2. Patch the client to current CVS version (tricky).

3. You haven't mentioned whether you're using the Red Hat package or built the 2.5.2p2 yourself. You could try the package, which has a chance to work (but doesn't have to).

Of course, there may be problems other than this one, but what you have now shouldn't work. ;-)

Re: openssh problem on UX-11

Brian Bergstrand — Fri, 13 Apr 2001 12:29:55 GMT

Thanks for an explanation of the problem. The -c option did the trick. I wish someone would release a depot for 2.5.2p2. (I have been trying to compile it myself, but am having trouble with aCC.)

Thanks again.