> Many aging ciphers, hashes, and key exchanges are in the process of being > retired. <1kbit Diffie Hellman moduli have been removed as well in 6.9, I > believe. > > If the Ciscos rely on <1kbit DH moduli or SHA1/MD5 hash based proposals to > work, that could be your problem. We did not update the moduli file. > A comparison of the two versions' output from: (ssh -Q kex ; ssh -Q mac ; ssh > -Q cipher) MAY help narrow it down Outputs are identical other than 6.7 prints diffie-hellman-group1-sha1 twice. > but I think you'll need to enable protocol > debug logging on the server side and see which proposals that the Cisco is > using that's no longer available in 6.9 (by default). You may just need to > add two or three lines to 6.9's sshd_config file, i.e., > KexAlgorithms/MACs/Ciphers. It doesn't appear to be a kex, mac, or cipher issue as the problem is occurring after successful password authentication. Here's the debug output from initial connection to termination: Connection from A.B.C.D port 57737 on E.F.G.H port 22 debug1: Client protocol version 2.0; client software version Cisco-1.25 debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x40000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9p1 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 7677 debug3: preauth child monitor started debug3: privsep user:group 99:99 [preauth] debug1: permanently_set_uid: 99/99 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: AUTH STATE IS 0 [preauth] debug2: kex_parse_kexinit: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group- exchange-sha256,curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-ni stp384,ecdh-sha2-nistp521 [preauth] debug2: kex_parse_kexinit: ssh-rsa,ssh-dss [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc [preauth] debug2: kex_parse_kexinit: hmac-sha1 [preauth] debug2: kex_parse_kexinit: hmac-sha1 [preauth] debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx [preauth] debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] debug2: kex_parse_kexinit: reserved 0 [preauth] debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellma n-group1-sha1 [preauth] debug2: kex_parse_kexinit: ssh-rsa [preauth] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc [preauth] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc [preauth] debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: none [preauth] debug2: kex_parse_kexinit: none [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] debug2: kex_parse_kexinit: reserved 0 [preauth] debug1: REQUESTED ENC.NAME is '3des-cbc' [preauth] debug1: kex: client->server 3des-cbc hmac-sha1 none [preauth] debug1: REQUESTED ENC.NAME is '3des-cbc' [preauth] debug1: kex: server->client 3des-cbc hmac-sha1 none [preauth] debug2: bits set: 974/2048 [preauth] debug1: expecting SSH2_MSG_KEXDH_INIT [preauth] debug2: bits set: 1077/2048 [preauth] debug3: mm_key_sign entering [preauth] debug3: mm_request_send entering: type 6 [preauth] debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect entering: type 7 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign debug3: mm_answer_sign: hostkey proof signature 0x7fd190fb2a60(271) debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug2: set_newkeys: mode 1 [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug2: set_newkeys: mode 0 [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user username service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug3: mm_getpwnamallow entering [preauth] debug3: mm_request_send entering: type 8 [preauth] debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] debug3: mm_request_receive_expect entering: type 9 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 1176 [list of tokens removed for brevity] debug3: auth_shadow_acctexpired: today 16640 sp_expire -1 days left -16641 debug3: account expiration disabled debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug2: input_userauth_request: setting up authctxt for username [preauth] debug3: mm_inform_authserv entering [preauth] debug3: mm_request_send entering: type 4 [preauth] debug3: mm_auth2_read_banner entering [preauth] debug3: mm_request_send entering: type 10 [preauth] debug3: mm_request_receive_expect entering: type 11 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_request_send entering: type 11 debug2: monitor_read: 10 used once, disabling now debug1: userauth_send_banner: sent [preauth] debug2: input_userauth_request: try method none [preauth] debug3: userauth_finish: failure partial=0 next methods="gssapi-keyex,gssapi-with-mic,password" [preauth] debug1: userauth-request for user username service ssh-connection method password [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method password [preauth] debug3: mm_auth_password entering [preauth] debug3: mm_request_send entering: type 12 [preauth] debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth] debug3: mm_request_receive_expect entering: type 13 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 12 debug1: temporarily_use_uid: 934/55 (e=0/0) debug1: restore_uid: 0/0 debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 13 Accepted password for username from A.B.C.D port 57737 ssh2 debug1: monitor_child_preauth: username has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: mm_get_keystate: GOT new keys debug3: mm_auth_password: user authenticated [preauth] debug3: mm_request_send entering: type 26 [preauth] debug3: mm_send_keystate: Finished sending state [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug1: temporarily_use_uid: 934/55 (e=0/0) debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism debug1: restore_uid: 0/0 User child is on pid 7678 debug1: permanently_set_uid: 934/55 debug3: monitor_apply_keystate: packet_set_state debug2: set_newkeys: mode 0 debug2: set_newkeys: mode 1 debug1: ssh_packet_set_postauth: called debug3: ssh_packet_set_state: done debug3: notify_hostkeys: key 1: ssh-rsa SHA256:XXXXXXXXX debug3: notify_hostkeys: key 2: ssh-dss SHA256:XXXXXXXXX debug3: notify_hostkeys: sent 2 hostkeys debug1: Entering interactive session for SSH2. debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 3 win 8192 max 4096 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session Connection closed by A.B.C.D debug1: channel 0: free: server-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 server-session (t10 r3 i0/0 o0/0 fd -1/-1 cc -1) debug1: session_close: session 0 pid 0 debug3: session_unused: session id 0 unused debug1: do_cleanup debug1: krb5_cleanup_proc called Transferred: sent 3680, received 816 bytes Closing connection to A.B.C.D port 57737 debug3: mm_request_send entering: type 50 debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_term: tearing down sessions Howard
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev