Hi Hari,

Can you get a backtrace of the stuck dropbear process in 2) ? That might 
suggest what's going wrong.

Cheers,
Matt

> On Mon 23/10/2017, at 7:12 pm, Hariharasubramanian Ramasubramanian 
> <hrama...@in.ibm.com> wrote:
> 
> ssh login gets stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" at random.
> 
> However forcing ssh to use 3des cipher suite makes the login go through.
> 
> What causes the login to succeed when cipher suite is forced but fail 
> otherwise ?
> 
> Here are the debug for 3 different use cases:
> 1) successful login attempt
> 2) failed login attempt
> 3) forced 3des cipher suite
> 
> ==============================================================================
> 1) Successful login attempt
> ==============================================================================
> -bash-4.1$ ssh -vvv root@wsbmc011
> OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012
> debug1: Reading configuration data 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to wsbmc011 [9.3.21.42] port 22.
> debug1: Connection established.
> debug3: Incorrect RSA1 identifier
> debug3: Could not load 
> "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa" as a RSA1 public key
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa 
> type 1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa-cert type -1
> debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa 
> type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa-cert type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version dropbear_2016.74
> debug1: no match: dropbear_2016.74
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.8
> debug2: fd 3 setting O_NONBLOCK
> debug3: load_hostkeys: loading entries for host "wsbmc011" from file 
> "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23
> debug3: load_hostkeys: loaded 1 keys
> debug3: order_hostkeyalgs: prefer hostkeyalgs: 
> ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-rsa
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: 
> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: 
> ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-dss-cert-v01@openssh
>                                                         
> .com,ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-
>                                                         sha2-nistp521,ssh-dss
> debug2: kex_parse_kexinit: 
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
> debug2: kex_parse_kexinit: 
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
> debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: 
> curve25519-sha...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexgue...@matt.ucc.asn.au
> debug2: kex_parse_kexinit: ssh-rsa
> debug2: kex_parse_kexinit: 
> aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
> debug2: kex_parse_kexinit: 
> aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
> debug2: kex_parse_kexinit: 
> hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
> debug2: kex_parse_kexinit: 
> hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
> debug2: kex_parse_kexinit: z...@openssh.com,none
> debug2: kex_parse_kexinit: z...@openssh.com,none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: RSA 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82
> debug3: load_hostkeys: loading entries for host "wsbmc011" from file 
> "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host "9.3.21.42" from file 
> "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:15
> debug3: load_hostkeys: loaded 1 keys
> debug1: Host 'wsbmc011' is known and matches the RSA host key.
> debug1: Found key in 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa 
> (0x9dd410)
> debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa ((nil))
> debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa ((nil))
> debug1: Authentications that can continue: publickey,password
> debug3: start over, passed a different list publickey,password
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug1: Trying private key: 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa
> debug3: no such identity: 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa
> debug1: Trying private key: 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa
> debug3: no such identity: 
> /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> root@wsbmc011's password:
> ==============================================================================
> 2) failed login attempt
> ==============================================================================
> $ ssh -v root@wsbmc011
> OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012
> debug1: Reading configuration data 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to wsbmc011 [9.3.21.42] port 22.
> debug1: Connection established.
> debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa 
> type 1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1
> debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa 
> type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version dropbear_2016.74
> debug1: no match: dropbear_2016.74
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.8
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> ==============================================================================
> 3) forced 3des cipher suite
> ==============================================================================
> $ ssh -c 3des -v root@wsbmc011
> OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012
> debug1: Reading configuration data 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to wsbmc011 [9.3.21.42] port 22.
> debug1: Connection established.
> debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa 
> type 1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1
> debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa 
> type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1
> debug1: identity file 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version dropbear_2016.74
> debug1: no match: dropbear_2016.74
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.8
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client 3des-cbc hmac-md5 none
> debug1: kex: client->server 3des-cbc hmac-md5 none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: RSA 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82
> debug1: Host 'wsbmc011' is known and matches the RSA host key.
> debug1: Found key in 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/known_hosts:26
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa
> debug1: Authentications that can continue: publickey,password
> debug1: Trying private key: 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa
> debug1: Trying private key: 
> /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa
> debug1: Next authentication method: password
> root@wsbmc011's password:
> 
> Thanks in advance,
> Hari !
> 
> Hariharasubramanian R.
> Power Firmware Development
> IBM India Systems & Technology Lab, Bangalore, India
> Phone: +91 80 4025 6950 

Reply via email to