HPE Community
Operating System - HP-UX
1834050 Members
2143 Online
110063 Solutions
New Discussion

openssh problem on UX-11

 
SOLVED
Go to solution
Brian Bergstrand
Honored Contributor

‎04-11-2001 12:33 PM

‎04-11-2001 12:33 PM

openssh problem on UX-11

I installed OpenSSH 2.5.1 from the depot I got from the UX archive at <>. The problem is, I can only connect to the server in ssh 1 mode. Using ssh2 mode (with a DSA key) results in a 'Bad packet length' error.

The server is running UX 11.11 TCOE and OpenSSL 0.9.6 24 Sep 2000. I have tried connecting from RedHat 7 and Mac OS X both running OpenSSH 2.5.2p2. and OpenSSL 0.9.5a 1 Apr 2000.

Here is a debug session:
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1
debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug1: got kexinit: ssh-dss
debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 1046/2049
debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug1: Got SSH2_MSG_KEXDH_REPLY.
debug1: Host '131.156.180.18' is known and matches the DSA host key.
debug1: Found key in /Users/brian/.ssh/known_hosts2:3
debug1: bits set: 1037/2049
debug1: len 55 datafellows 0
debug1: ssh_dss_verify: signature correct
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: send SSH2_MSG_SERVICE_REQUEST
58 ee 47 6d ee 5e cc 79 37 b1 b0 6d 52 ee ae 4e
Disconnecting: Bad packet length 1492010861.

Anyone know what is going on? I would like to upgrade to OpenSSH 2.5.2p2 on the server, but I can't find a depot for it anywhere.

Thanks
0 Kudos
Reply
6 REPLIES 6
Vincent Stedema
Esteemed Contributor

‎04-11-2001 11:51 PM

‎04-11-2001 11:51 PM

Re: openssh problem on UX-11

Brian,

Do you have a "HostKey /etc/ssh_host_dsa_key" entry in your sshd_config?

It is needed by OpenSSH version 2.5.1..

Vincent
0 Kudos
Reply
Brian Bergstrand
Honored Contributor

‎04-12-2001 05:32 AM

‎04-12-2001 05:32 AM

Re: openssh problem on UX-11

Yes, I do have a DSA key file. Here are the relevant bits of my sshd_config file.

Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /opt/openssh2/etc/ssh_host_key
HostKey /opt/openssh2/etc/ssh_host_dsa_key
#HostKey /opt/openssh2/etc/ssh_host_rsa_key
ServerKeyBits 1024

All of the listed files exist in the dir..

Thanks.
0 Kudos
Reply
Vincent Stedema
Esteemed Contributor

‎04-12-2001 06:42 AM

‎04-12-2001 06:42 AM

Re: openssh problem on UX-11

Brian,

What happens if you put a comment before the "HostKey /opt/openssh2/etc/ssh_host_key" entry and just use the "HostKey /opt/openssh2/etc/ssh_host_dsa_key" entry?

Vincent
0 Kudos
Reply
Brian Bergstrand
Honored Contributor

‎04-12-2001 07:36 AM

‎04-12-2001 07:36 AM

Re: openssh problem on UX-11

If I comment out the ssh_host_key file, the ssh 1 protocol is disabled (what I though would happen). The server will then only allow protocol 2 connections (which don't work).
0 Kudos
Reply
Alexander Peslyak
New Member

‎04-12-2001 01:47 PM

‎04-12-2001 01:47 PM

Solution

Re: openssh problem on UX-11

Here's the story:

Until recently (2.5.2+), OpenSSH had a bug in AES support on big-endian architectures (such as PA-RISC under HP-UX). However, the OpenSSH client prior to 2.5.2 used 3DES rather than AES by default (all this applies to SSH-2 only). That default was changed to the use of AES between 2.5.1 and 2.5.2. Then, after 2.5.2p2, there was one more relevant change: the OpenSSH client will now detect the buggy server versions (2.3.0 to 2.5.1) and not use AES/Rijndael when speaking to them:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/compat.c.diff?r1=1.39&r2=1.40

(this is only a small part of the change).

Red Hat incorporates this later patch (but not its final version) in their 2.5.2p2-1.7 errata package.

So your options are:

1. Tell the client to use a cipher other than AES/Rijndael. You can use the "-c 3des" command line option, or "Cipher 3des" in either /etc/ssh_config (possibly /etc/ssh/ssh_config) or ~/.ssh/config.

2. Patch the client to current CVS version (tricky).

3. You haven't mentioned whether you're using the Red Hat package or built the 2.5.2p2 yourself. You could try the package, which has a chance to work (but doesn't have to).

Of course, there may be problems other than this one, but what you have now shouldn't work. ;-)
Reply
Brian Bergstrand
Honored Contributor

‎04-13-2001 05:29 AM

‎04-13-2001 05:29 AM

Re: openssh problem on UX-11

Thanks for an explanation of the problem. The -c option did the trick. I wish someone would release a depot for 2.5.2p2. (I have been trying to compile it myself, but am having trouble with aCC.)

Thanks again.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.