Re: Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2018/11/23 12:23, owl700@xxxxxxxxx wrote:
> Il giorno gio 22 nov 2018 alle ore 21:24 Stuart Henderson
> <stu@xxxxxxxxxxxxxxx> ha scritto:
> >
> > On 2018/11/22 19:55, owl700@xxxxxxxxx wrote:
> > > Hi, I have compatibility issues with the latest version of
> > > openssh-server and an old dropbear client, the dopbear client stops at
> > > preauth
> > >
> > > ov 22 14:34:03  myhostname sshd[3905]: debug1: Client protocol version
> > > 2.0; client software version dropbear_0.46
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
> > > SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: Enabling compatibility
> > > mode for protocol 2.0
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug2: fd 3 setting O_NONBLOCK
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug2: Network child is on pid 3906
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: preauth child monitor started
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: privsep user:group
> > > 106:65534 [preauth]
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: permanently_set_uid:
> > > 106/65534 [preauth]
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: list_hostkey_types:
> > > ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth]
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: send packet: type 20 [preauth]
> > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent [preauth]
> > >
> > > Can you help?
> >
> > That ~13-year-old version of dbclient only has weak key exchange methods -
> > diffie-hellman-group1-sha1, "OpenSSH supports this method, but does not
> > enable it by default because is weak and within theoretical range of the
> > so-called Logjam attack" and diffie-hellman-group1-dss, disabled by default
> > in OpenSSH in 2015.
> >
> > Also only weak CBC-mode ciphers, disabled by default in 2014.
> >
> > The right answer is to run a newer client.
> >
> > If there's no way to do that, least worst is probably to connect to
> > a jump host on the LAN (locked-down as much as possible), running
> > modern OpenSSH sshd but with weak kex/ciphers enabled, in this
> > case you could use something like
> >
> > KexAlgorithms +diffie-hellman-group1-sha1
> > Ciphers +aes128-cbc
> >
> > This is still not recommended, but at least you could keep the weak
> > crypto off the internet this way.
> 
> Thanks Stuart
> 
> I have tried to use the right KexAlgorithm and Ciphers, but dropbear
> client fail always
> 
> myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent [preauth]
> 
> There aren't other debug messages
> 
> Only for test purpose i have add all options i can in
> /etc/sshd_config, but nothing, what am I doing wrong?
> 
> Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx
> HostbasedAcceptedKeyTypes
> ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx
> HostKeyAlgorithms
> ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx
> KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@xxxxxxxxxx
> MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,hmac-sha1-96-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-md5-etm@xxxxxxxxxxx,hmac-md5-96-etm@xxxxxxxxxxx,hmac-ripemd160-etm@xxxxxxxxxxx,umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx
> PubkeyAcceptedKeyTypes
> ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx

Not sure, but I *was* able to connect from dropbear 0.46 dbclient
with just the two lines I mentioned added to sshd_config (and config
reloaded of course).

When things didn't match up I did have error messages displayed by
the client, which are likely to be more useful than server-side messages
in this case.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux