Server Management - Remote Server Management
1748226 Members
4596 Online
108759 Solutions
New Discussion

Unable to SSH to iLO2 with OpenSSH 6.2

 
SOLVED
Go to solution
sl4mmy
Occasional Advisor

Unable to SSH to iLO2 with OpenSSH 6.2

Howdy-

 

I initially posted this in reply to the v2.15 release announcement, but I'm starting a separate thread now because I reproduced the issue with another SSH client (the Ruby Net::SSH library from http://net-ssh.github.io/net-ssh/).

 

Basically, I'm unable to connect to iLO2 via SSH from my Linux workstation.  I tried with servers running iLO2 firmware v2.06, v2.12 and the recently released v2.15, all without success.  My workstation is running ArchLinux:

 

$ uname -a

Linux arch-sl4mmy 3.7.10-1-ARCH #1 SMP PREEMPT Thu Feb 28 09:50:17 CET 2013 x86_64 GNU/Linux

 

 

Here is some sample debug output when attempting to connect using OpenSSH 6.2:

 

$ ssh -vvv ilo01

OpenSSH_6.2p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/sl4mmy/.ssh/config
debug1: /home/sl4mmy/.ssh/config line 15: Applying options for ilo*
debug1: /home/sl4mmy/.ssh/config line 24: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to ilo01 [192.168.254.11] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 999 ms remain after connect
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/sl4mmy/.ssh/deploy-key" as a RSA1 public key
debug1: identity file /home/sl4mmy/.ssh/deploy-key type 1
debug1: identity file /home/sl4mmy/.ssh/deploy-key-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version mpSSH_0.1.1
debug1: no match: mpSSH_0.1.1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "ilo01" from file "/home/sl4mmy/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/sl4mmy/.ssh/known_hosts:274
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 126/256
debug2: bits set: 503/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
Received disconnect from 192.168.254.11: 2: Client Disconnect

 

 

I also reproduced what I believe is the same issue using Ruby's Net::SSH library (the output below was captured by setting the :logger option to Logger::DEBUG):

 

D, [2013-05-03T10:17:09.222960 #2074] DEBUG -- net.ssh.transport.session[d272c4]: establishing connection to ilo01:22
D, [2013-05-03T10:17:09.224466 #2074] DEBUG -- net.ssh.transport.session[d272c4]: connection established
I, [2013-05-03T10:17:09.224580 #2074]  INFO -- net.ssh.transport.server_version[d24970]: negotiating protocol version
D, [2013-05-03T10:17:09.231403 #2074] DEBUG -- net.ssh.transport.server_version[d24970]: remote is `SSH-2.0-mpSSH_0.1.1'
D, [2013-05-03T10:17:09.231458 #2074] DEBUG -- net.ssh.transport.server_version[d24970]: local is `SSH-2.0-Ruby/Net::SSH_2.6.7 x86_64-linux'
D, [2013-05-03T10:17:09.485039 #2074] DEBUG -- tcpsocket[d26400]: read 200 bytes
D, [2013-05-03T10:17:09.485179 #2074] DEBUG -- tcpsocket[d26400]: received packet nr 0 type 20 len 196
I, [2013-05-03T10:17:09.485255 #2074]  INFO -- net.ssh.transport.algorithms[d21a40]: got KEXINIT from server
I, [2013-05-03T10:17:09.485329 #2074]  INFO -- net.ssh.transport.algorithms[d21a40]: sending KEXINIT
D, [2013-05-03T10:17:09.487958 #2074] DEBUG -- tcpsocket[d26400]: queueing packet nr 0 type 20 len 1620
D, [2013-05-03T10:17:09.488054 #2074] DEBUG -- tcpsocket[d26400]: sent 1624 bytes
I, [2013-05-03T10:17:09.488096 #2074]  INFO -- net.ssh.transport.algorithms[d21a40]: negotiating algorithms
D, [2013-05-03T10:17:09.488242 #2074] DEBUG -- net.ssh.transport.algorithms[d21a40]: negotiated:
* kex: diffie-hellman-group1-sha1
* host_key: ssh-rsa
* encryption_server: aes128-cbc
* encryption_client: aes128-cbc
* hmac_client: hmac-sha1
* hmac_server: hmac-sha1
* compression_client: none
* compression_server: none
* language_client:
* language_server:
D, [2013-05-03T10:17:09.488321 #2074] DEBUG -- net.ssh.transport.algorithms[d21a40]: exchanging keys
D, [2013-05-03T10:17:09.489091 #2074] DEBUG -- tcpsocket[d26400]: queueing packet nr 1 type 30 len 140
D, [2013-05-03T10:17:09.489145 #2074] DEBUG -- tcpsocket[d26400]: sent 144 bytes
D, [2013-05-03T10:17:09.490307 #2074] DEBUG -- tcpsocket[d26400]: read 40 bytes
D, [2013-05-03T10:17:09.490411 #2074] DEBUG -- tcpsocket[d26400]: received packet nr 1 type 1 len 36

 

And then it disconnects.

 

$ ruby --version

ruby 1.9.3p392 (2013-02-22 revision 39386) [x86_64-linux]

$ gem list | grep net-ssh

net-ssh (2.6.7)

 

 

Has anyone else encountered similar problems?  Please let me know if I can provide any more information to help identify and fix this issue.

24 REPLIES 24
sl4mmy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

I came across this thread from two years ago http://www.gossamer-threads.com/lists/openssh/dev/51909 that describes a similar issue with OpenSSH 5.8, but unfortunately the recommended work-arounds no longer seem to work with OpenSSH 6.2.

Oscar A. Perez
Honored Contributor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Did you try the option 

HostKeyAlgorithms=ssh-rsa

 

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
sl4mmy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Hi, Oscar-

 

Yes, I did try that.  Sorry for not being more clear, but that's what I meant about "recommended work-arounds no longer seem to work with OpenSSH 6.2."

 

Are you able to successfully to connect to iLO2 via SSH with OpenSSH v6.2 using that option?

 

Here is the output with that option on my machine:

 

$ ssh -vvv -o HostKeyAlgorithms=ssh-rsa ilo01

OpenSSH_6.2p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/sl4mmy/.ssh/config
debug1: /home/sl4mmy/.ssh/config line 15: Applying options for ilo*
debug1: /home/sl4mmy/.ssh/config line 24: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to ilo01 [192.168.254.11] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 999 ms remain after connect
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/sl4mmy/.ssh/deploy-key" as a RSA1 public key
debug1: identity file /home/sl4mmy/.ssh/deploy-key type 1
debug1: identity file /home/sl4mmy/.ssh/deploy-key-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version mpSSH_0.1.1
debug1: no match: mpSSH_0.1.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 506/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
Received disconnect from 192.168.254.11: 2: Client Disconnect

Oscar A. Perez
Honored Contributor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Ok, I'll debug it and hopefully it is an easy fix.  I'm getting tired of fixing iLO2 SSH server everytime a new OpenSSH version is released.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
sl4mmy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Hi, Oscar-

 

Great, thanks for offering to look into the issue further!  Let me know if there are any further options you'd like me to try or other tests you'd like me to run.

Jimmy Vance
HPE Pro

Re: Unable to SSH to iLO2 with OpenSSH 6.2

I know many years ago when there was an issues with iLO and openSSH not working together the workaround was to add "-o ForwardAgent=no -o ForwardX11=no " The issue I had at the time was the ssh client wouldn't use the "-o" options properly from the command line. I had to put them in a file and launch ssh with the "-F configfile" option to read the options correctly. Not saying that is the issue here, but you might give it a try creating a file with "HostKeyAlgorithms=ssh-rsa" and see if it changes anything

 

 

No support by private messages. Please ask the forum! 
sl4mmy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Hi, Jimmy-

 

Thanks for your suggestion, unfortunately I'm still unable to connect:

 

$ cat ssh_config

Host *
  KexAlgorithms diffie-hellman-group1-sha1
  HostKeyAlgorithms ssh-rsa


$ ssh -vvv -F ssh_config ilo01

OpenSSH_6.2p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data ssh_config
debug1: ssh_config line 1: Applying options for *
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug3: key names ok: [ssh-rsa]
debug2: ssh_connect: needpriv 0
debug1: Connecting to ilo01 [192.168.254.11] port 22.
debug1: Connection established.
debug1: identity file /home/sl4mmy/.ssh/id_rsa type -1
debug1: identity file /home/sl4mmy/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/sl4mmy/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/sl4mmy/.ssh/id_dsa type 2
debug1: identity file /home/sl4mmy/.ssh/id_dsa-cert type -1
debug1: identity file /home/sl4mmy/.ssh/id_ecdsa type -1
debug1: identity file /home/sl4mmy/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version mpSSH_0.1.1
debug1: no match: mpSSH_0.1.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 136/256
debug2: bits set: 531/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
Received disconnect from 192.168.254.11: 2: Client Disconnect

Oscar A. Perez
Honored Contributor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

I had to make lots of changes to the mpSSH server code to get it to work with the new OpenSSH 6.2p1.  

 

I hope this is the last time we have to make changes like this one. iLO2 memory is very limited and already full so,  we won't be able to spin new firmware releases, every time the OpenSSH folks decide to increase the size of the payload during Key Exchange.

 

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
sl4mmy
Occasional Advisor

Re: Unable to SSH to iLO2 with OpenSSH 6.2

Hi, Oscar-

 

That's great, I'm glad you were able to fix the problem.  I'm not sure what can be done about futureproofing, but I appreciate your time and effort on this!

 

Thanks again!

 

Best,

Kent