Re: ssh kills iLo3 if I my ssh agent is forwarded with a DSA key loaded

Gary_Richards · ‎06-10-2011

I have a bunch of DL360G7, DL380G7 and DL385G7's.

To access the iLo on these systems I hop through a jump box to get there.

I forward my ssh agent because that's how I auth with other systems behind this jump box.

If I then try to ssh to the iLo of any one of my systems (and I have a DSA key loaded up in my ssh agent) I never get a login prompt to the iLo and it becomes unresponsive to any sort of connection after that other than ping. Before it will work again I have to use hponcfg -r to reset the iLo.

If I remove the DSA key from my forwarded agent (or if I only have RSA keys loaded) then my ssh connection works fine.

Although the workaround of removing the keys works, it's not going to be long before one of my users forgets and breaks the iLo of a system that's broken (so I can't login and use hponcfg -r to reset it).

My systems are running the most recent iLo firmware (which according to hponcfg is v1.20 on the DL360G7s).

Does anyone have an idea if there's some sort of setting that can be changed to fix this or whether I need to get HP to look into it?

If it's something that only HP can fix do they regularly monitor these forums or do bugs like this have to be reported in a different way?

Thanks

Gary

Oscar A. Perez · ‎06-10-2011

Cases like this ones needs to be reproduced in our lab to be able to debug it an fix it.

Could you please call HP support, log a case and provide all the details that can help us reproduce this hang?

Once you get a case number, please post it here and I'll get the case elevated. Thanks

__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!

AntsInPants · ‎06-14-2011

I am experiencing the same behavior!

I have now "broken" at least 3 different ILO3's with SSH from a Ubuntu 11.04 server.

I will look into raising a support case also

AntsInPants · ‎06-16-2011

Hi Oscar,

I made a ticket about this. Case ID: 4631007373

I am using ILO3 v1.25 on a 380G7

Let me know if you need any more details additionally to the ticket.

Thanks for help,
A

Oscar A. Perez · ‎06-16-2011

The case says you agreed to close the case.

*** NOTES June 16,2011 12:55:14 [June 16,2011 14:55:14 EET-2EEST FI]
Action Type: Default
Called to customer
Putty works.
Ssh from ubuntu fails to login and freezes (OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010 )
Ssh from redhat works.
customer agreed to close this case

*** CASE CLOSE June 16,2011 12:55:24 [June 16,2011 14:55:24 EET-2EEST FI]

__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!

AntsInPants · ‎06-16-2011

They did not want to keep the case open and since it works from putty/redhat they said its a Ubuntu problem.. I hope you are able to either reopen it or just take a few steps testing this internally and reproduce the problem.

jorgus · ‎07-12-2011

It's not Ubuntu's problem - that's complete nonsense. The same happens with PuTTY combined with Pageant and Pageant option checked in PuTTY connection settings to an ILO3. I've just hung my ILO3 by inadvertently connecting to it with my Pageant on and this checkbox checked (connection copied from another one where I use key-based authentication). Firmware 1.20 but as I read above the same applies to 1.25.

Is it really so hard for HP to reproduce this problem? AntsInPants, just tell them to download PuTTY and Pageant, load any DSA key to Pageant and connect to the ILO with "Connection -> SSH -> Auth -> Attempt authentication using Pageant" option enabled.

I would open a ticket myself if I owned the server but unfortunately it don't. Anyway, it's scary that anyone can hang my ILO in a dedicated server in a datacenter, running on a public IP.

Oscar A. Perez · ‎07-19-2011

I was able to reproduce the issue using putty and a 4096 bits private DSA key that I created using puttygen

I have uploaded an iLO3 1.26 beta2 to the below FTP. Please test it and let me know if it fixes your issue as well.

FTP Access: ftp://tempilo3:1wantiLO@ftp.usa.hp.com/

or: ftp://tempilo3:1wantiLO@15.192.32.78/

__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!

AntsInPants · ‎07-20-2011

Hi Oscar, and all.

Yes, I was able to reproduce the problem to HP Support with redhat and Ubuntu both, so they agreed the problem not to be platform specific.

Oscar, I tested your 1.26 beta3, and the problem does not seem to reproduce again! So from my point of view turn beta3 into a production release! :-)

Thanks again.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: ssh kills iLo3 if I my ssh agent is forwarded with a DSA key loaded

ssh kills iLo3 if I my ssh agent is forwarded with a DSA key loaded