Re: sshfs key exchange fails
Hi Darren, Thanks for the right syntax, sshd is now coming up but the initial problem persists. Same picture in the packet capture. Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is sending a FIN ACK instead. I added the following line to sshd_config to allow weak key exchange algorithms: KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 Dennis Sent: Saturday, June 18, 2016 at 3:19 AM From: "Darren Tucker" <dtuc...@zip.com.au> To: "Dennis Matthiesen" <dennis.matthie...@gmx.com> Cc: "Todd C. Miller" <todd.mil...@courtesan.com>, "OpenBSD Misc List" <misc@openbsd.org> Subject: Re: sshfs key exchange failsOn Sat, Jun 18, 2016 at 6:08 AM, Dennis Matthiesen <dennis.matthie...@gmx.com> wrote: > Thanks Todd, Did a fresh install. Added the following line to sshd_config > but then sshd won't come up: KexAlgorithms +diffie-hellman-group1-sha1, > +diffie-hellman-group-exchange-sha1 The first "+" means "append this to the list of accepted algorithms". The second "+" doesn't mean anything so sshd is trying to parse that as an algorithm name and failing (this should be obvious from the log message). Try: KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshfs key exchange fails
Thanks Todd, Did a fresh install. Added the following line to sshd_config but then sshd won't come up: KexAlgorithms +diffie-hellman-group1-sha1, +diffie-hellman-group-exchange-sha1 Dennis Sent: Friday, June 17, 2016 at 7:09 PM From: "Todd C. Miller" <todd.mil...@courtesan.com> To: "Dennis Matthiesen" <dennis.matthie...@gmx.com> Cc: misc@openbsd.org Subject: Re: sshfs key exchange failsOn Fri, 17 Jun 2016 19:49:44 +0200, "Dennis Matthiesen" wrote: > I'm not sure if this a configuration issue or could this be a general > problem with the 'Diffie-Hellman Group Exchange Request' not being > processed properly by OpenBSD. > > Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group > Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is > sending a FIN ACK instead. That sounds like a configuration issue. Newer versions of OpenSSH don't accept these weak key exchange algorithms by default: diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 You can add them back in /etc/ssh/sshd_config using the KexAlgorithms setting. See sshd_config(5) for details. Also see http://www.openssh.com/legacy.html - todd
sshfs key exchange fails
Hi, I'm not sure if this a configuration issue or could this be a general problem with the 'Diffie-Hellman Group Exchange Request' not being processed properly by OpenBSD. Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is sending a FIN ACK instead. Same key exchange worked when connecting with the same client and client software, same network, to a commercial product based on FreeBSD (Juniper JUNOS). SSH server then responds with 'Diffie-Hellman Group Exchange Group' which means keys can be exchanged and connection can be established, data transmited, all fine. However, client and client software tested and it works, but again not with OpenBSD as server. All ok from the client site. Client Software: Sshfs Manager 0.0.1.5 (Windows 7 Enterprise) Server: OpenBSD 5.9 Packet capture of issue attached where OpenBSD is acting as the SSH server. Server IP 10.10.1.111 Client IP 10.10.1.166 I've also attached a packet capture where everything is working but no OpenBSD involved (see packet number 12), for comparison. Server IP 10.10.1.210 Client IP 10.10.1.199 The packet captures are pretty small, so please have a look. However, this is not about getting something working on a Windows machine! ;) Answers, comments, ideas much apprechiated, Dennis [demime 1.01d removed an attachment of type application/octet-stream] [demime 1.01d removed an attachment of type application/octet-stream]
