[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
** Tags removed: architecture-s39064 bugnameltc-137850 error logging severity-high targetmilestone-inin1604 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
I won't forget to do it with the 7.3 upload, and would rather have the bug open until it's actually fixed. ** Changed in: openssh (Ubuntu) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Thanks for your attention! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
This has been fixed in upstream openssh, and will be part of like 7.3 release or some such. When that gets released, makes it to debian and makes it to ubuntu, this bug will be resolved. This is a minor issue and not worth cherrypicking for. I'll just mark ubuntu task as fix released, cause we will forget to do so with 7.3 upload. http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/dh.c?rev=1.59 =text/x-cvsweb-markup ** Changed in: openssh (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Patch attached upstream https://bugzilla.mindrot.org/show_bug.cgi?id=2559 see https://bugzilla.mindrot.org/attachment.cgi?id=2801 As far as I understand there is no further actions for s390x port. @OP this is a minor problem, and best addressed upstream, see upstream bug report linked. ** Bug watch added: OpenSSH Portable Bugzilla #2559 https://bugzilla.mindrot.org/show_bug.cgi?id=2559 ** Also affects: openssh via https://bugzilla.mindrot.org/show_bug.cgi?id=2559 Importance: Unknown Status: Unknown ** Changed in: openssh (Ubuntu) Importance: Low => Wishlist -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Sorry, I mean OpenSSH in general of course, not just the client. And yes, the other end ought to be able to cope with stronger primes. But that's not what this bug is about: it specifically says "The alleged problem is the reference to /etc/ssh/primes instead of /etc/ssh/moduli". -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Sigh. No. It's a perfectly obvious bug in the OpenSSH client, it's just mostly cosmetic (i.e. it's checking two files but then only warning about one). Please read the original bug description carefully before closing this or arguing further about whether it's valid. ** Changed in: openssh (Ubuntu) Importance: Undecided => Low ** Changed in: openssh (Ubuntu) Status: Invalid => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Surely the bug is in Client: Prompt 2 v2.5.2 (Build 23057) on IOS 9.2.1 (see https://panic.com/prompt/), and you should report to them that it should use stronger keys to authenticate, no? We do not provide support for third party ssh clients. And we will not weaken our server to support weak clients. Also wily 15.10 on amd64, is out of scope for s390x support on xenial. Please let me know, if you can reproduce this at all with Ubuntu clients and Ubuntu server on s390x. ** Changed in: openssh (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Perhaps the following is helpful in tracing the problem. It is an excerpt from /var/log/auth.log covering the ssh login from the iPad on the server (srv01) in the situation described earlier, logged at LogLevel DEBUG3: Mar 23 08:33:14 srv01 sshd[1782]: Connection from ***.***.***.66 port 59484 on ***.***.***.34 port ***22 Mar 23 08:33:14 srv01 sshd[1782]: debug1: Client protocol version 2.0; client software version OpenSSH_5.4 Mar 23 08:33:14 srv01 sshd[1782]: debug1: match: OpenSSH_5.4 pat OpenSSH_5* compat 0x0c00 Mar 23 08:33:14 srv01 sshd[1782]: debug1: Enabling compatibility mode for protocol 2.0 Mar 23 08:33:14 srv01 sshd[1782]: debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 Mar 23 08:33:14 srv01 sshd[1782]: debug2: fd 3 setting O_NONBLOCK Mar 23 08:33:14 srv01 sshd[1782]: debug2: Network child is on pid 1783 Mar 23 08:33:14 srv01 sshd[1782]: debug3: preauth child monitor started Mar 23 08:33:14 srv01 sshd[1782]: debug3: privsep user:group 104:65534 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug1: permanently_set_uid: 104/65534 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug1: list_hostkey_types: ssh-ed25519,ssh-rsa [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug1: SSH2_MSG_KEXINIT sent [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug1: SSH2_MSG_KEXINIT received [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: ssh-ed25519,ssh-rsa [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes256-ctr,aes192-ctr [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes256-ctr,aes192-ctr [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-ripemd160-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-ripemd160-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: reserved 0 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: hmac-sha2-512-...@openssh.com,hmac-sha2-512,hmac-sha2-256-...@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd...@openssh.com [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: hmac-sha2-512-...@openssh.com,hmac-sha2-512,hmac-sha2-256-...@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd...@openssh.com [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: zlib,z...@openssh.com,none [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: zlib,z...@openssh.com,none [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug2: kex_parse_kexinit: reserved 0 [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug1: kex: client->server aes192-ctr hmac-sha2-512-...@openssh.com z...@openssh.com [preauth] Mar 23 08:33:14 srv01 sshd[1782]: debug1: kex: server->client aes192-ctr hmac-sha2-512-...@openssh.com z...@openssh.com [preauth] Mar 23 08:33:14 srv01 sshd[1782]:
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Apologies for my late response. I am running different software now, but the 'bug' is still present. I can currently reproduce it as follows: Server: openssh-server Version: 1:6.9p1-2ubuntu0.1, Architecture amd64 on Ubuntu 15.10 (wily) Client: Prompt 2 v2.5.2 (Build 23057) on IOS 9.2.1 (see https://panic.com/prompt/) My /etc/ssh/sshd_config mentions: > KexAlgorithms > curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 When my /etc/ssh/moduli is generated to contain only 4096 bit primes, and I log in from my iPad using Prompt 2, the server logs the following message in /var/log/auth.log: Mar 22 21:47:40 srv01 sshd[28876]: WARNING: no suitable primes in /etc/ssh/primes The file /etc/ssh/primes does not exist on the server system; neither is it mentioned in the (FILES section of the) sshd(8) manpage, which, incidentally, does mention /etc/ssh/moduli. - The above message is not logged in case /etc/ssh/moduli is generated to contain all of 2048, 3072 and 4096 bit primes. I hope the report is now as complete as it should be. In case I find other ways to reproduce the error, I will let you know. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
OFERBA, I suspect you have a different issue than this bug report, which is about a misleading pathname in an error message. I'd suggest filing a new bug for your issue however I do not think it is appropriate to be shipping a new release with 1024 bit DH primes as a default supported configuration. See https://weakdh.org/ for more information. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
** Tags added: architecture-s39064 bugnameltc-137850 severity-high targetmilestone-inin1604 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
looking at openssh source code: #define _PATH_DH_MODULI SSHDIR "/moduli" /* Backwards compatibility */ #define _PATH_DH_PRIMES SSHDIR "/primes" both paths are defined, with primes being a legacy/compat one. Ubuntu only uses the current default /moduli path. These are documented in ssh-keygen, you can see this manpage over here too http://manpages.ubuntu.com/manpages/xenial/en/man1/ssh- keygen.1.html#contenttoc3 Note, openssh supports and can be forced to use more combinations on client <-> server than available in the moduli, hence the caveat as per manpage. If one needs moduli beyond what's available in /moduli path, one may need to generate extra ones. Nonetheless, please provide information as to how to reproduce this error ssh client in use, ssh server in use, and version details of both client and server. Ideally including architecture and exact package version numbers. The combined metadata on this bug report is inconsistent, and I'm failing to reproduce the described errors. ** Changed in: openssh (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
This cannot be a bug on architecture-s39064 and 14.04.3 release simultaniously, as there is no s39064 for 14.04. @bugproxy -> why these tags were added? Is this an automation issue, or metadata issue on your side? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Assignee should be an appropriate screening team - probably taco or skipper. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openssh (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs