Trying to connect from Fedora 21 to CentOS 6.6, OpenSSH on both ends.
Connection is via a VPN.
Initially the connection seems good, but OpenSSH stalls at
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP.
Software version on servers:
openssh-server-5.3p1-104.el6_6.1.x86_64
openssh-5.3p1-104.el6_6.1.x86_64
Software version on client:
openssh-6.6.1p1-11.1.fc21.x86_64
also duplicated problem using local build of openssh-6.7p1.tar.gz
Connections to other CentOS 6 servers with identical SSH versions and
configurations are successful. (Configs are managed by Puppet so I'm
confident they really are identical, and I rebooted the server before the
test below.)
Connections to the problem server using Windows PuTTY SSH are successful!
(Using a Windows VM running on the same Fedora 21 client machine, inside
VirtualBox.)
VPN MTU is 1400. Ping check for packet size:
% ping -M do -s 1372 10.77.16.71
PING 10.77.16.71 (10.77.16.71) 1372(1400) bytes of data.
1380 bytes from 10.77.16.71: icmp_seq=1 ttl=61 time=69.4 ms
Server MTU is 1500, and I've confirmed that 1472-byte packets ping
successfully from other servers to the problem server.
Here's a transcript using ssh -vvv and a build of OpenSSH from
openssh-6.7p1 sources:
% ./ssh -vvv docs.rtp.tecnet
OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /home/meta/.ssh/config
/home/meta/.ssh/config line 1: Unsupported option "gssapiauthentication"
debug2: ssh_connect: needpriv 0
debug1: Connecting to docs.rtp.tecnet [10.77.16.71] port 22.
debug1: Connection established.
debug1: identity file /home/meta/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/meta/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/meta/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/meta/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/meta/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/meta/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/meta/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/meta/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "docs.rtp.tecnet" from file
"/home/meta/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@xxxxxxxxxx
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,
ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,
ssh-rsa-cert-v00@xxxxxxxxxxx,ssh-dss-cert-v00@xxxxxxxxxxx
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx
,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx
,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@xxxxxxxxxxx,
hmac-ripemd160-etm@xxxxxxxxxxx,hmac-sha1-96-etm@xxxxxxxxxxx,
hmac-md5-96-etm@xxxxxxxxxxx,hmac-md5,hmac-ripemd160,
hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@xxxxxxxxxxx,
hmac-ripemd160-etm@xxxxxxxxxxx,hmac-sha1-96-etm@xxxxxxxxxxx,
hmac-md5-96-etm@xxxxxxxxxxx,hmac-md5,hmac-ripemd160,
hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: setup hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
[hangs]
Here's the config output from building OpenSSH as used above:
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE
Preprocessor flags:
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-strong -pie
Libraries: -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv
So... Any ideas what I can try next to track down the source of the problem?
mathew
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
