Re: sshfs key exchange fails
On Sat, Jun 18, 2016 at 6:11 PM, Dennis Matthiesen wrote: > Hi Darren, > > Thanks for the right syntax, sshd is now coming up but the initial problem > persists. Same picture in the packet capture. The packet capture didn't make it to the list, the attachment got stripped. > Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group > Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is > sending a FIN ACK instead. Try running the server in debug mode (eg "/usr/sbin/sshd -ddde -p 222" to run it on port 222) and if the reason isn't obvious from the log please post it to the list. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshfs key exchange fails
Hi Darren, Thanks for the right syntax, sshd is now coming up but the initial problem persists. Same picture in the packet capture. Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is sending a FIN ACK instead. I added the following line to sshd_config to allow weak key exchange algorithms: KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 Dennis Sent: Saturday, June 18, 2016 at 3:19 AM From: "Darren Tucker" To: "Dennis Matthiesen" Cc: "Todd C. Miller" , "OpenBSD Misc List" Subject: Re: sshfs key exchange failsOn Sat, Jun 18, 2016 at 6:08 AM, Dennis Matthiesen wrote: > Thanks Todd, Did a fresh install. Added the following line to sshd_config > but then sshd won't come up: KexAlgorithms +diffie-hellman-group1-sha1, > +diffie-hellman-group-exchange-sha1 The first "+" means "append this to the list of accepted algorithms". The second "+" doesn't mean anything so sshd is trying to parse that as an algorithm name and failing (this should be obvious from the log message). Try: KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshfs key exchange fails
On Sat, Jun 18, 2016 at 6:08 AM, Dennis Matthiesen wrote: > Thanks Todd, Did a fresh install. Added the following line to sshd_config > but then sshd won't come up: KexAlgorithms +diffie-hellman-group1-sha1, > +diffie-hellman-group-exchange-sha1 The first "+" means "append this to the list of accepted algorithms". The second "+" doesn't mean anything so sshd is trying to parse that as an algorithm name and failing (this should be obvious from the log message). Try: KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sshfs key exchange fails
Thanks Todd, Did a fresh install. Added the following line to sshd_config but then sshd won't come up: KexAlgorithms +diffie-hellman-group1-sha1, +diffie-hellman-group-exchange-sha1 Dennis Sent: Friday, June 17, 2016 at 7:09 PM From: "Todd C. Miller" To: "Dennis Matthiesen" Cc: misc@openbsd.org Subject: Re: sshfs key exchange failsOn Fri, 17 Jun 2016 19:49:44 +0200, "Dennis Matthiesen" wrote: > I'm not sure if this a configuration issue or could this be a general > problem with the 'Diffie-Hellman Group Exchange Request' not being > processed properly by OpenBSD. > > Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group > Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is > sending a FIN ACK instead. That sounds like a configuration issue. Newer versions of OpenSSH don't accept these weak key exchange algorithms by default: diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 You can add them back in /etc/ssh/sshd_config using the KexAlgorithms setting. See sshd_config(5) for details. Also see http://www.openssh.com/legacy.html - todd
Re: sshfs key exchange fails
On Fri, Jun 17, 2016 at 11:09 AM, Todd C. Miller wrote: > On Fri, 17 Jun 2016 19:49:44 +0200, "Dennis Matthiesen" wrote: > >> I'm not sure if this a configuration issue or could this be a general >> problem with the 'Diffie-Hellman Group Exchange Request' not being >> processed properly by OpenBSD. >> >> Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group >> Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is >> sending a FIN ACK instead. > > That sounds like a configuration issue. Newer versions of OpenSSH > don't accept these weak key exchange algorithms by default: > > diffie-hellman-group1-sha1 > diffie-hellman-group-exchange-sha1 > > You can add them back in /etc/ssh/sshd_config using the KexAlgorithms > setting. ...after really thinking HARD about what you're doing with an ssh client which hasn't been updated in reaction all the cryptographical attacks over the last couple years. Before you flip the options to let it work, you should have a plan on how and when you'll be able to turn them back off. Do you connect to this host with a more up to date ssh client too? How are you making sure the new client can't be tricked into using the old, attackable key-exchange methods? Cryptography is always moving forward; software that doesn't get updated is falling behind. Philip Guenther
Re: sshfs key exchange fails
On Fri, 17 Jun 2016 19:49:44 +0200, "Dennis Matthiesen" wrote: > I'm not sure if this a configuration issue or could this be a general > problem with the 'Diffie-Hellman Group Exchange Request' not being > processed properly by OpenBSD. > > Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group > Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is > sending a FIN ACK instead. That sounds like a configuration issue. Newer versions of OpenSSH don't accept these weak key exchange algorithms by default: diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 You can add them back in /etc/ssh/sshd_config using the KexAlgorithms setting. See sshd_config(5) for details. Also see http://www.openssh.com/legacy.html - todd