Jeff, I have had also faced the same problem, but it was resolved when my team cross examined the new server certificate file for compatibility, there was a change in certificate/ key size. I think you can take up this problem as a bug. Also I have found on mutiple OpenVPN forum that people have found work around for this compatibility issue by creating a script asking the server to ignore the Bad Packet Length error. Ref: https://launchpad.net/ubuntu/gutsy/+source/logcheck/1.2.55 http://lists.mindrot.org/pipermail/openssh-unix-dev/2007-September.txt I hope it helps On Thu, Jan 8, 2009 at 11:37 AM, Jeff Blaine <jblaine@xxxxxxxxxxxx> wrote: > Server: OpenSSH 5.1p1 > Client: OpenSSH 4.3p2 > > Works fine when server is OpenSSH 4.4p1 instead (our old > instance we're trying to upgrade to 5.1p1) > > Any ideas? Adding '-2' to the ssh command line buys me > nothing. > > % /usr/local/bin/ssh -v -v -v -p 6000 sshserver > OpenSSH_4.3p2, OpenSSL 0.9.8d 28 Sep 2006 > debug1: Reading configuration data /usr/local/etc/ssh_config > debug2: ssh_connect: needpriv 0 > debug1: Connecting to sshserver [XX.YY.10.1] port 6000. > debug1: Connection established. > debug1: identity file /home/jblaine/.ssh/identity type -1 > debug1: identity file /home/jblaine/.ssh/id_rsa type -1 > debug1: identity file /home/jblaine/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 > debug1: match: OpenSSH_5.1 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_4.3 > debug2: fd 4 setting O_NONBLOCK > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib > debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx > debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: dh_gen_key: priv key bits set: 113/256 > debug2: bits set: 525/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: check_host_in_hostfile: filename /home/jblaine/.ssh/known_hosts > debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts > debug3: check_host_in_hostfile: filename /home/jblaine/.ssh/known_hosts > debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts > debug3: check_host_in_hostfile: filename /home/jblaine/.ssh/known_hosts > debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts > debug2: no key of type 0 for host sshserver > debug3: check_host_in_hostfile: filename /home/jblaine/.ssh/known_hosts2 > debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts2 > debug3: check_host_in_hostfile: filename /home/jblaine/.ssh/known_hosts > debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts > debug2: no key of type 2 for host sshserver > The authenticity of host 'sshserver (XX.YY.10.1)' can't be established. > RSA key fingerprint is 88:b0:14:81:c9:86:4f:a5:a8:96:87:f3:24:df:0c:8b. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added 'sshserver,XX.YY.10.1' (RSA) to the list of > known hosts. > debug2: bits set: 519/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > Disconnecting: Bad packet length 3346013531. > > bash-2.05# /custom/openssh-5.1p1/sbin/sshd -p 6000 -d > debug1: sshd version OpenSSH_5.1p1 > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: rexec_argv[0]='/linus/openssh-5.1p1/sbin/sshd' > debug1: rexec_argv[1]='-p' > debug1: rexec_argv[2]='6000' > debug1: rexec_argv[3]='-d' > debug1: Bind to port 6000 on ::. > Server listening on :: port 6000. > debug1: Bind to port 6000 on 0.0.0.0. > Server listening on 0.0.0.0 port 6000. > debug1: fd 6 clearing O_NONBLOCK > debug1: Server will not fork when running in debugging mode. > debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 11 > debug1: inetd sockets after dupping: 4, 4 > Connection from XX.YY.10.14 port 51518 > debug1: Client protocol version 2.0; client software version OpenSSH_4.3 > debug1: match: OpenSSH_4.3 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.1 > debug1: permanently_set_uid: 27/65000 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > Disconnecting: Bad packet length 2596886957. > debug1: do_cleanup > debug1: do_cleanup > bash-2.05# > > -- Regards Vivek P Nair VP Technology Appin Software Security Private Limited | vivekp@xxxxxxxxxxxxxxx | vivek.p@xxxxxxxxxxxxx | 09999668010 | d3adbra1n.wordpress.com | Three ways to gain Success 1. know more than others 2. work more than others 3. expect less than others
