Server Management - Remote Server Management
1748213 Members
3072 Online
108759 Solutions
New Discussion

Re: Unable to SSH to iLO2 with OpenSSH 6.2

 
SOLVED
Go to solution
sl4mmy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Hi, Oscar-

 

I posted a general question on the OpenSSH dev list about compatibility with memory constrained embedded SSH implementations.

 

However, after taking a look at some of the relevant standards I don't think this can be fairly called an OpenSSH problem.  Reading RFC 4253 sections 6.2 - 6.5 it seems the standard allows for additional compression algorithms, encryption algorithms, key exchange methods, etc. in the future.  Also, section 7 doesn't say anything further about maximum payload size during key exchange so I assume only the requirements from section 6.1 apply.  Looking at the conversation between my OpenSSH client and an iLO2 interface running firmware v2.15 it looks like the largest packet is only 1.4k, far short of the 35k max size that implementations must support.  So while I realize there is limited memory for iLO2, it really sounds like mpSSH's responsibility to handle large payloads and ignore unknown algorithms, etc.

 

I hope that doesn't come across as too snarky.  Thanks again for your help with this issue!

 

Best,

Kent

 

Oscar A. Perez
Honored Contributor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Thanks for that info.

 

mpSSH in iLO2 v2.15 would only handle 1280 bytes payload during key exchange. I increased that to 2Kb in version 2.20 (ETA later this month) and there isn't an easy way I could prevent mpSSH from disconnecting on packets larger than 2Kb without making significant changes to the code. 

 

I forgot to debug why the workaround of using the option “HostKeyAlgorithms=ssh-rsa” isn't working anymore. Not sure if the option got broken in OpenSSH 6.2p1 or there is something else going on within mpSSH. I will take a look because, looking forward this option might be the only way to connect to iLO2, if OpenSSH increases the payload beyond 2Kb




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
sl4mmy
Occasional Advisor
Solution

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Hi, Oscar-

 

Ah-ha!  Your message just triggered an idea, and sure enough: it works!  :)

 

The -o HostKeyAlgorithms=ssh-rsa option doesn't work anymore with OpenSSH 6.2p1 because it's insufficient to keep the key exchange payload small enough for mpSSH to handle.  Some other value during key exchange has grown enough that the payload is still over the 1280 byte limit.  Looking at the output from a failed connection attempt the list of MAC algorithms sent by the client is the largest.

 

Sure enough, OpenSSH 6.2 is able to connect successfully when configured to only offer hmac-sha1:

 

$ ssh -vvv -o MACs=hmac-sha1 ilo01

OpenSSH_6.2p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/sl4mmy/.ssh/config
debug1: /home/sl4mmy/.ssh/config line 15: Applying options for ilo*
debug1: /home/sl4mmy/.ssh/config line 24: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to ilo01 [192.168.254.11] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 999 ms remain after connect
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version mpSSH_0.1.1
debug1: no match: mpSSH_0.1.1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "ilo01" from file "/home/sl4mmy/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/sl4mmy/.ssh/known_hosts:274
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@open
ssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug2: dh_gen_key: priv key bits set: 168/320
debug2: bits set: 557/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA 84:ee:9f:9c:2e:46:8f:10:2d:30:07:5c:eb:94:a8:b4
debug3: load_hostkeys: loading entries for host "ilo01" from file "/home/sl4mmy/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/sl4mmy/.ssh/known_hosts:274
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "192.168.254.11" from file "/home/sl4mmy/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/sl4mmy/.ssh/known_hosts:278
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'ilo01' is known and matches the RSA host key.
debug1: Found key in /home/sl4mmy/.ssh/known_hosts:274
debug2: bits set: 523/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
...

 

 

So, long story short, I still believe the long term fix is to figure out how to make mpSSH handle larger payloads during key exchange more gracefully, but as a work-around it seems that whenever OpenSSH adds support for new algorithms users should explicitly use a subset of the algorithms that are known to work with mpSSH.  Perhaps you can recommend a canonical set of algorithms for each type that will always be guaranteed to work, for example:

 

$ ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc -o MACs=hmac-md5,hmac-sha1 username@ilo-hostname

Oscar A. Perez
Honored Contributor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Awesome!

 

You're pretty much showing all what is supported by mpSSH:

 

HostKeyAlgorithms: ssh-rsa, ssh-dss

KexAlgorithms: diffie-hellman-group1-sha1

Ciphers: aes128-cbc, 3des-cbc

MACs: hmac-md5, hmac-sha1

 

I will add this info to the Customer Advisory. :)




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Oscar A. Perez
Honored Contributor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Fixed in iLO2 version 2.20

http://h30499.www3.hp.com/t5/ITRC-Remote-Lights-Out-Mgmt-iLO/iLO-2-Firmware-version-2-20-released/td-p/6067313



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
sl4mmy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Hi, Oscar-

 

That's great, thanks for releasing the fix so quickly!

Renaud_
New Member

Re: Unable to SSH to iLO2 with OpenSSH 6.2

What I have done is putting the following in the profile file, and it works with OpenSSH 6.2. You only have to use ilossh instead of ssh to login

I know that the problem is in the server, not the client, but that helps if you need to access older machines for which the ILO patch is not available.

 

alias ilossh='ssh -o PasswordAuthentication=yes \
-o ChallengeResponseAuthentication=no \
-o GSSAPIAuthentication=no \
-o HostbasedAuthentication=no \
-o PubkeyAuthentication=no \
-o RSAAuthentication=no \
-o Compression=no \
-o ForwardAgent=no \
-o ForwardX11=no \
-o KexAlgorithms=diffie-hellman-group1-sha1 \
-o MACs=hmac-md5,hmac-sha1 \
-o Ciphers=aes128-cbc,3des-cbc \
-o HostKeyAlgorithms=ssh-rsa,ssh-dss '

 

ben-Nabiy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

I am currently running a DL380 G5 with iLO2 Advanced License

Current Firmware: 

1.35   07/16/2007

 

 

Am I able to upgrade the firmware to the 2.2 to overcome the SSH issue? If yes, do I need to step through the upgrades one by one?

 

I am afraid of ruining my currently working install (minus the ssh issue) to try updating if it is not going to work, and I have no way to bring it back to the current version.

Oscar A. Perez
Honored Contributor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

No, you don't need to step through every upgrade one by one but, since I've never tested upgrading from such old firmware version directly to a version 2.xx, I would advise you to write down all the important iLO2 configurations, including your advanced license key and then upgrade that iLO2 to version 1.82.

If everthing seems fine after upgrading to v1.82 then, upgrading to version 2.23 should go smooth.

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
ben-Nabiy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Thank you for the prompt response.

 

I have downloaded the 2.2 firmware, but am unsure how to get the 1.82. The directory structure of

ftp://ftp.hp.com/pub/softlib2/software1/sc-linux-fw-ilo/p1285463034/v85709/

 

does not make it very evident.

 

If you could link me to the proper firmware for what you would recommend, I would much appreciate it!