Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Problem SSHing to HP ILO SSH-2.0-mpSSH_0.1.0 with 5.8p1

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


efo at basefarm

May 18, 2011, 12:43 PM

Post #1 of 6 (5194 views)
Permalink
Problem SSHing to HP ILO SSH-2.0-mpSSH_0.1.0 with 5.8p1

Hi everyone,
We are recently seeing a problem with OpenSSH 5.8p1 and SSH to ILO cards
running SSH-2.0-mpSSH_0.1.0.
This has previously worked with OpenSSH 5.5p1 (last known version for us
to work).

ssh ilohost -vvv gives the following on 5.8p1:

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Applying options for *.*
debug2: ssh_connect: needpriv 0
debug1: Connecting to ilohost [10.20.12.30] port 22.
debug1: Connection established.
debug1: identity file /home/efo/.ssh/identity type -1
debug1: identity file /home/efo/.ssh/identity-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/efo/.ssh/id_rsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/efo/.ssh/id_rsa type 1
debug1: identity file /home/efo/.ssh/id_rsa-cert type -1
debug1: identity file /home/efo/.ssh/id_dsa type -1
debug1: identity file /home/efo/.ssh/id_dsa-cert type -1
debug1: identity file /home/efo/.ssh/id_ecdsa type -1
debug1: identity file /home/efo/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version mpSSH_0.1.0
debug1: no match: mpSSH_0.1.0
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "ilohost" from file
"/home/efo/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file
/home/efo/.ssh/known_hosts:185
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs:
ssh-rsa-cert-v01 [at] openssh,ssh-rsa-cert-v00 [at] openssh,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-v01 [at] openssh,ssh-rsa-cert-v00 [at] openssh,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 [at] openssh,ecdsa-sha2-nistp384-cert-v01 [at] openssh,ecdsa-sha2-nistp521-cert-v01 [at] openssh,ssh-dss-cert-v01 [at] openssh,ssh-dss-cert-v00 [at] openssh,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc [at] lysator
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc [at] lysator
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 [at] openssh,hmac-ripemd160,hmac-ripemd160 [at] openssh,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 [at] openssh,hmac-ripemd160,hmac-ripemd160 [at] openssh,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib [at] openssh,zlib
debug2: kex_parse_kexinit: none,zlib [at] openssh,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 134/256
debug2: bits set: 511/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
Received disconnect from 10.20.12.30: 2: Client Disconnect



The received disconnect is almost instant, so it is not a timeout or
anything like that.
I have also tried unsetting LANG, ssh -a, ssh -x etc. etc.


--
Best regards
Espen Fjellvær Olsen
efo [at] basefarm
Basefarm AS
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

May 18, 2011, 2:15 PM

Post #2 of 6 (4773 views)
Permalink
Re: Problem SSHing to HP ILO SSH-2.0-mpSSH_0.1.0 with 5.8p1 [In reply to]

On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:

> Hi everyone,
> We are recently seeing a problem with OpenSSH 5.8p1 and SSH to ILO cards
> running SSH-2.0-mpSSH_0.1.0.
> This has previously worked with OpenSSH 5.5p1 (last known version for us to
> work).
>
> ssh ilohost -vvv gives the following on 5.8p1:

Could you try

ssh -vvv -oKexAlgorithms=diffie-hellman-group1-sha1 ilohost?

If that doesn't work, try adding "-oServerHostkeyAlgorithms=ssh-rsa"

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


efo at basefarm

May 18, 2011, 2:19 PM

Post #3 of 6 (4865 views)
Permalink
Re: Problem SSHing to HP ILO SSH-2.0-mpSSH_0.1.0 with 5.8p1 [In reply to]

On 18. mai 2011 23:15, Damien Miller wrote:
> On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:
>
>> Hi everyone,
>> We are recently seeing a problem with OpenSSH 5.8p1 and SSH to ILO cards
>> running SSH-2.0-mpSSH_0.1.0.
>> This has previously worked with OpenSSH 5.5p1 (last known version for us to
>> work).
>>
>> ssh ilohost -vvv gives the following on 5.8p1:
> Could you try
>
> ssh -vvv -oKexAlgorithms=diffie-hellman-group1-sha1 ilohost?
>
> If that doesn't work, try adding "-oServerHostkeyAlgorithms=ssh-rsa"
>
Aha,
Heres something;
-oKexAlgorithms=diffie-hellman-group1-sha1 did not work.
-oServerHostkeyAlgorithms=ssh-rsa wasnt recognized as an option, but
-oHostKeyAlgorithms=ssh-rsa on the other hand, did infact work!

--
Espen FJellvær Olsen
Basefarm AS


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

May 18, 2011, 3:24 PM

Post #4 of 6 (4750 views)
Permalink
Re: Problem SSHing to HP ILO SSH-2.0-mpSSH_0.1.0 with 5.8p1 [In reply to]

On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:

> On 18. mai 2011 23:15, Damien Miller wrote:
> > On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:
> >
> > > Hi everyone,
> > > We are recently seeing a problem with OpenSSH 5.8p1 and SSH to ILO cards
> > > running SSH-2.0-mpSSH_0.1.0.
> > > This has previously worked with OpenSSH 5.5p1 (last known version for us
> > > to
> > > work).
> > >
> > > ssh ilohost -vvv gives the following on 5.8p1:
> > Could you try
> >
> > ssh -vvv -oKexAlgorithms=diffie-hellman-group1-sha1 ilohost?
> >
> > If that doesn't work, try adding "-oServerHostkeyAlgorithms=ssh-rsa"
> >
> Aha,
> Heres something;
> -oKexAlgorithms=diffie-hellman-group1-sha1 did not work.
> -oServerHostkeyAlgorithms=ssh-rsa wasnt recognized as an option, but
> -oHostKeyAlgorithms=ssh-rsa on the other hand, did infact work!

ok, so HP's ILO SSH implementation is junk. Harmlessly ignoring unsupported
algorithms is the very point of the initial SSH negotiation, so that the
HP code gets this really basic thing wrong is hugely worrying - if they
can't get the simple stuff right, what else have they botched?

Anyway, adding

Host ilo1 ilo2 omfgilo ...
KexAlgorithms diffie-hellman-group1-sha1
HostkeyAlgorithms ssh-rsa

to your ~/.ssh/config (replaceing the host names) should let you connect.

Could you please file a bug with HP? I'd love to hear what they say.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


pcerny at suse

May 20, 2011, 9:00 AM

Post #5 of 6 (4705 views)
Permalink
Re: Problem SSHing to HP ILO SSH-2.0-mpSSH_0.1.0 with 5.8p1 [In reply to]

Damien Miller wrote:
> On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:
>
>> On 18. mai 2011 23:15, Damien Miller wrote:
>> > On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:
>> >
>> > > Hi everyone,
>> > > We are recently seeing a problem with OpenSSH 5.8p1 and SSH to ILO cards
>> > > running SSH-2.0-mpSSH_0.1.0.
>> > > This has previously worked with OpenSSH 5.5p1 (last known version for us
>> > > to
>> > > work).
>> > >
>> > > ssh ilohost -vvv gives the following on 5.8p1:
>> > Could you try
>> >
>> > ssh -vvv -oKexAlgorithms=diffie-hellman-group1-sha1 ilohost?
>> >
>> > If that doesn't work, try adding "-oServerHostkeyAlgorithms=ssh-rsa"
>> >
>> Aha,
>> Heres something;
>> -oKexAlgorithms=diffie-hellman-group1-sha1 did not work.
>> -oServerHostkeyAlgorithms=ssh-rsa wasnt recognized as an option, but
>> -oHostKeyAlgorithms=ssh-rsa on the other hand, did infact work!
>
> ok, so HP's ILO SSH implementation is junk. Harmlessly ignoring unsupported
> algorithms is the very point of the initial SSH negotiation, so that the
> HP code gets this really basic thing wrong is hugely worrying - if they
> can't get the simple stuff right, what else have they botched?

mpSSH is not really the best SSH implementation around - among other
things it seems to fail when requested to set up an environment
variable, so be careful not to SendEnv anything to HP iLO.

Just for the record - we've had this issue reported from one of our
customers and the solution found has been:

$ ssh -vvv \
-o PasswordAuthentication=yes \
-o ChallengeResponseAuthentication=no \
-o GSSAPIAuthentication=no \
-o HostbasedAuthentication=no \
-o PubkeyAuthentication=no \
-o RSAAuthentication=no \
-o Compression=no \
-o ForwardAgent=no \
-o ForwardX11=no \
-o Ciphers=aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128 \
-o HostKeyAlgorithms=ssh-rsa,ssh-dss \
user [at] HP_iL

Along with the patch (for v 5.1p1-):
date: 2008/11/03 08:20:14;
- markus [at] cvs 2008/09/11 14:22:37
[compat.c compat.h nchan.c ssh.c]
only send eow and no-more-sessions requests to openssh 5 and newer;
fixes interop problems with broken ssh v2 implementations; ok djm@


Kind regards
Petr
--
Petr Cerny
Mozilla/OpenSSH maintainer for SUSE Linux
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


efo at basefarm

May 20, 2011, 9:08 AM

Post #6 of 6 (4700 views)
Permalink
Re: Problem SSHing to HP ILO SSH-2.0-mpSSH_0.1.0 with 5.8p1 [In reply to]

On 19. mai 2011 00:24, Damien Miller wrote:
> On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:
>
>> On 18. mai 2011 23:15, Damien Miller wrote:
>>> On Wed, 18 May 2011, Espen Fjellv?r Olsen wrote:
>>>
>>>> Hi everyone,
>>>> We are recently seeing a problem with OpenSSH 5.8p1 and SSH to ILO cards
>>>> running SSH-2.0-mpSSH_0.1.0.
>>>> This has previously worked with OpenSSH 5.5p1 (last known version for us
>>>> to
>>>> work).
>>>>
>>>> ssh ilohost -vvv gives the following on 5.8p1:
>>> Could you try
>>>
>>> ssh -vvv -oKexAlgorithms=diffie-hellman-group1-sha1 ilohost?
>>>
>>> If that doesn't work, try adding "-oServerHostkeyAlgorithms=ssh-rsa"
>>>
>> Aha,
>> Heres something;
>> -oKexAlgorithms=diffie-hellman-group1-sha1 did not work.
>> -oServerHostkeyAlgorithms=ssh-rsa wasnt recognized as an option, but
>> -oHostKeyAlgorithms=ssh-rsa on the other hand, did infact work!
> ok, so HP's ILO SSH implementation is junk. Harmlessly ignoring unsupported
> algorithms is the very point of the initial SSH negotiation, so that the
> HP code gets this really basic thing wrong is hugely worrying - if they
> can't get the simple stuff right, what else have they botched?
>
> Anyway, adding
>
> Host ilo1 ilo2 omfgilo ...
> KexAlgorithms diffie-hellman-group1-sha1
> HostkeyAlgorithms ssh-rsa
>
> to your ~/.ssh/config (replaceing the host names) should let you connect.
>
> Could you please file a bug with HP? I'd love to hear what they say.
>
This did the trick, yes.
Thank you Damien.

I am still awaiting to file a bug with HP. Need some of the hardware
people to give me access to our service agreement details over at HP, or
file a bug them selves :)
Will reply back when i get an answer from HP (Altough I am sure they
will tell us to upgrade last years servers to this years servers which
comes with ILO3 and not this problem).

--
Br
Espen Fjellvær Olsen
Basefarm AS

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.