upgrade openssh, too. or turn of HMAC-SHA1 in ssh-2.3.0, since
it's broken, e.g. use "Mac hmac-md5".
On Tue, Nov 14, 2000 at 07:26:39AM -0500, Michael Galloway wrote:
> good day all ...
>
> i began upgrading my ssh servers to version 2.3.0 yesterday. now when openssh
> clients try to connect they get this error:
>
> michael@theborg:~ > ssh -v -l mgx grail.lsd.ornl.gov
> SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
> Compiled with SSL (0x0090581f).
> debug: Reading configuration data /etc/ssh/ssh_config
> debug: Applying options for *
> debug: Seeding random number generator
> debug: ssh_connect: getuid 500 geteuid 0 anon 0
> debug: Connecting to grail.lsd.ornl.gov [160.91.102.19] port 22.
> debug: Seeding random number generator
> debug: Allocated local port 994.
> debug: Connection established.
> debug: Remote protocol version 2.0, remote software version 2.3.0 SSH Secure
> She
> ll (non-commercial)
> Enabling compatibility mode for protocol 2.0
> debug: Local version string SSH-2.0-OpenSSH_2.1.1
> debug: send KEXINIT
> debug: done
> debug: wait KEXINIT
> debug: got kexinit: diffie-hellman-group1-sha1
> debug: got kexinit: ssh-dss
> debug: got kexinit:
> 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,3des-ecb,3des-cfb,
> 3des-ofb,blowfish-ecb,blowfish-cfb,blowfish-ofb,des-ecb,des-cbc,des-cfb,des-ofb,
> twofish-ecb,twofish-cfb,twofish-ofb,none
> debug: got kexinit:
> 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,3des-ecb,3des-cfb,
> 3des-ofb,blowfish-ecb,blowfish-cfb,blowfish-ofb,des-ecb,des-cbc,des-cfb,des-ofb,
> twofish-ecb,twofish-cfb,twofish-ofb,none
> debug: got kexinit:
> hmac-sha1,hmac-md5,hmac-md5-96,hmac-sha1-96,hmac-ripemd160,h
> mac-ripemd160-96,sha1-8,sha1,md5-8,md5,ripemd160-8,ripemd160
> debug: got kexinit:
> hmac-sha1,hmac-md5,hmac-md5-96,hmac-sha1-96,hmac-ripemd160,h
> mac-ripemd160-96,sha1-8,sha1,md5-8,md5,ripemd160-8,ripemd160
> debug: got kexinit: none,zlib
> debug: got kexinit: none,zlib
> debug: got kexinit:
> debug: got kexinit:
> debug: first kex follow: 0
> debug: reserved: 0
> debug: done
> debug: kex: server->client 3des-cbc hmac-sha1 none
> debug: kex: client->server 3des-cbc hmac-sha1 none
> debug: Sending SSH2_MSG_KEXDH_INIT.
> debug: bits set: 494/1024
> debug: Wait SSH2_MSG_KEXDH_REPLY.
> debug: Got SSH2_MSG_KEXDH_REPLY.
> debug: keytype ssh-dss
> debug: keytype ssh-dss
> debug: keytype ssh-dss
> debug: Host 'grail.lsd.ornl.gov' is known and matches the DSA host key.
> debug: bits set: 500/1024
> debug: len 55 datafellows 0
> debug: dsa_verify: signature correct
> debug: Wait SSH2_MSG_NEWKEYS.
> debug: GOT SSH2_MSG_NEWKEYS.
> debug: send SSH2_MSG_NEWKEYS.
> debug: done: send SSH2_MSG_NEWKEYS.
> debug: done: KEX2.
> debug: send SSH2_MSG_SERVICE_REQUEST
> Disconnecting: Corrupted HMAC on input.
> debug: Calling cleanup 0x805d200(0x0)
>
>
> what did i break during the upgrade?
>
> -- michael
