On Wed, Jan 8, 2014 at 9:30 PM, <mikep at noc.utoronto.ca> wrote: > On Wed, 8 Jan 2014, Loganaden Velvindron wrote: > >> On Tue, Dec 24, 2013 at 12:52 AM, <mikep at noc.utoronto.ca> wrote: >>> >>> On Wed, 13 Nov 2013, Loganaden Velvindron wrote: >>> >>>> On Wed, Nov 13, 2013 at 2:05 AM, Darren Tucker <dtucker at zip.com.au> >>>> wrote: >>>>> >>>>> >>>>> On Tue, Nov 12, 2013 at 4:40 PM, <mikep at noc.utoronto.ca> wrote: >>>>> >>>>>> Just upgraded to OpenSSH_6.4 with OpenSSL 1.0.1e and libz.so.1.2.8. >>>>>> Now some (but not all) Cisco router logins hang: >>>>>> >>>>>> debug1: sending SSH2_MSG_KEXDH_INIT >>>>>> debug1: expecting SSH2_MSG_KEXDH_REPLY >>>>>> [hangs] >>>>>> >>>>> >>>>> Suggestions in approximate order of likelihood. >>>>> - the additional KexAlgorithms exceed some static buffer in the Cisco. >>>>> Try: >>>>> "KexAlgorithms >>>>> >>>>> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" >>>>> - you have some kind of path MTU problem and the extra traffic from >>>>> the >>>>> additional algorithms pushes you past some packet boundary. Check the >>>>> "send-q" column on client and the equivalent on the server and see if >>>>> they're non-zero and non-decreasing). >>>> >>>> >>>> >>>> Shouldn't Mike open a ticket at CISCO so that they start fixing the >>>> software on their side as well ? >>> >>> >>> >>> Sorry to have taken so long to get back to you about this - your >>> suggestion >>> about "KexAlgorithms" caused me to test a lot of combinations to find >>> what >>> will work. It turns out the Cisco SSH server only supports a limited set >>> of >>> ciphers (this is documented sort-of by Cisco, and is displayed when you >>> try >>> to force a non-supported cipher). >> >> >> That's short-sighted coming from them. >> >> I have tested and I have the same problem with the latest snapshot. This >> is very annoying. >> >> Do you have a ticket number where I can also chip in ? > > > I have no access to open Cisco tickets, and our local router person who > does is still away (like most universities, we've been closed for the > past few weeks). > > I'll talk to him when he gets back, but agree this is very annoying. I can confirm that the issue is present on the CISCO 1841. > > >>> This in turn seems to limit the key exchange mechanisms that will work. >>> >>> Forcing a cipher with '-c' also appears to force something in the Kex for >>> OpenSSH; I can't find anything about Kex in any Cisco docs. >>> >>> I have created a special section of the 'ssh_config' file for those >>> devices >>> with these options, and all seems to be working fine: >>> >>> Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc >>> KexAlgorithms >>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan >>> ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >>> >>> Thank you for the help! >>> >>> >>>>>> Originally I had 'Cipher blowfish' set in '/etc/ssh/ssh_config', but >>>>>> removing that makes no difference. >>>>> >>>>> >>>>> >>>>> That's because Cipher affects only Protocol 1 (which was some time in >>>>> the >>>>> past the only version at least some Cisco devices spoke). >>>>> >>>>>> However, forcing '-c 3des' does >>>>>> allow it to work (even though '3des' is supposed to be the default): >>>>> >>>>> >>>>> >>>>> 3des is the default Cipher Protocol 1. Protocol 2 takes a list >>>>> (Ciphers) >>>>> and its default is >>>>> >>>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, >>>>> aes128-gcm at openssh.com,aes256-gcm at openssh.com, >>>>> >>>>> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, >>>>> aes256-cbc,arcfour >>>>> >>>>> the -c option overrides both. >>>>> >>>>> -- >>>>> Darren Tucker (dtucker at zip.com.au) >>>>> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 >>>>> Good judgement comes with experience. Unfortunately, the experience >>>>> usually comes from bad judgement. >>>>> _______________________________________________ >>>>> openssh-unix-dev mailing list >>>>> openssh-unix-dev at mindrot.org >>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> >>> >>> >>> Mike >>> -- >>> Mike Peterson Information Security Analyst - >>> Audit >>> E-mail: mikep at noc.utoronto.ca WWW: >>> http://www.noc.utoronto.ca/ >>> Tel: 416-978-5230 Fax: >>> 416-978-6620 > > > -- > Mike Peterson Information Security Analyst - > Audit > E-mail: mikep at noc.utoronto.ca WWW: > http://www.noc.utoronto.ca/ > Tel: 416-978-5230 Fax: > 416-978-6620 -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
