Date: Wed, 24 Jul 2002 13:14:49 -0700 From: Eli Dart <dart@nersc.gov> To: twig les <twigles@yahoo.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH problem (was ssh cipher) Message-ID: <20020724201450.8DAD63B1AD@gemini.nersc.gov> In-Reply-To: Message from twig les <twigles@yahoo.com> of "Wed, 24 Jul 2002 12:33:25 PDT." <20020724193325.92208.qmail@web10107.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_-800317256P Content-Type: text/plain; charset=us-ascii I seem to remember encountering something like this some time ago. Do you have tcp wrappers configured to display a banner? I think this was what caused the problem for me -- the banner that tcp wrappers injected fouled up the ssh protocol negotiations. I could be wrong about this....memory is fuzzy today... --eli In reply to twig les <twigles@yahoo.com> : > Well the problem isn't ssh.com vs openssh. I sshed > from the pos box to my sniffer and got in, but > couldn't ssh back again. This is the verbose output > from the session from the pos to the sniffer: > > <snip> > # ssh -v -v -v -l snort 10.x.x.x > OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL > 0x0090600f > Contains Cisco Secure Intrusion Detection System > modifications. > Domestic strength encryption. (k9). > debug: Reading configuration data /etc/ssh_config > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > debug: Connecting to 10.20.0.124 [10.20.0.124] port > 922. > debug: Allocated local port 1023. > debug: Connection established. > debug: identity file /root/.ssh/identity type 3 > debug: identity file /root/.ssh/id_dsa type 3 > debug: Remote protocol version 1.99, remote software > version OpenSSH_2.3.0 FreeBSD localisations 20010713 > debug: match: OpenSSH_2.3.0 FreeBSD localisations > 20010713 pat ^OpenSSH_2\.3\.0 > debug: Local version string SSH-1.5-OpenSSH_2.5.1p2 > debug: Waiting for server public key. > debug: Received server public key (768 bits) and host > key (1024 bits). > <snip> > debug: Encryption type: 3des > debug: Sent encrypted session key. > debug: Installing crc compensation attack detector. > debug: Received encrypted confirmation. > debug: Doing password authentication. > snort@10.x.x.x's password: > <snip> > > > But when sshing back, I got the following: > > > %ssh -c 3des-cbc -v -v -v 10.20.0.90 > SSH Version OpenSSH_2.3.0 FreeBSD localisations > 20010713, protocol versions 1.5/2.0. > Compiled with SSL (0x0090601f). > debug: Reading configuration data /etc/ssh/ssh_config > debug: ssh_connect: getuid 1001 geteuid 1001 anon 1 > debug: Connecting to (null) [10.20.0.90] port 22. > debug: Connection established. > ssh_exchange_identification: Connection closed by > remote host > debug: Calling cleanup 0x8058204(0x0) > <snip> > > Things I've ruled out: > Incompatibility with ssh.com and openssh (can ssh from > sniffer to ssh.com boxes). > Wrong user > Wrong listening port > Unallowed source IP (I can telnet in, but not SSH) > Wrong cipher - it's using 3des > > Am I destined to bang my head on the desk and load > Warcraft 3? > > > --- Peter Pentchev <roam@ringlet.net> wrote: > > On Wed, Jul 24, 2002 at 11:02:09AM -0700, twig les > > wrote: > > > All, I have a POS box running an old version of > > > openssh (not allowed to upgrade it, sigh). Right > > now > > > our jumpoff point is running ssh.com software and > > gets > > > the following error immediately: > > > > > > ssh 1.1.1.1 > > > warning: Authentication failed. > > > Disconnected; connection lost (Connection > > closed.). > > > > > > I've tried specifying the user and even the port > > but I > > > think the problem may be that the openssh (2.5 i > > > think) may not be using the correct cipher. How > > do I > > > check what cipher this guy is using? Also, this > > box > > > has got to be logging the connections attempts > > > somewhere, but I haven't seen it. > > > > Does the ssh.com SSH client have something > > resembling > > the OpenSSH client's "-v" command-line option, and > > especially its "-v -v -v" functionality? :) > > > > G'luck, > > Peter > > > > -- > > Peter Pentchev roam@ringlet.net roam@FreeBSD.org > > PGP key: > > http://people.FreeBSD.org/~roam/roam.key.asc > > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 > > B68D 1619 4553 > > No language can express every thought unambiguously, > > least of all this one. > > > > > ATTACHMENT part 2 application/pgp-signature > > > > ===== > ----------------------------------------------------------- > All warfare is based on deception. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - Feel better, live better > http://health.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==_Exmh_-800317256P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE9Pwq3LTFEeF+CsrMRAimHAKDgpt5wNBepezusHSebo4Pn4i0EwwCfUcyf Ddy7ofeE6sYrnLqEc8mgKEI= =Juq1 -----END PGP SIGNATURE----- --==_Exmh_-800317256P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020724201450.8DAD63B1AD>