From owner-freebsd-security Wed Jul 24 13:15:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3342837B400 for ; Wed, 24 Jul 2002 13:15:18 -0700 (PDT) Received: from osi-east2.nersc.gov (osi-east2.nersc.gov [128.55.6.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 735DF43E5E for ; Wed, 24 Jul 2002 13:15:17 -0700 (PDT) (envelope-from dart@nersc.gov) Received: from gemini.nersc.gov (gemini.nersc.gov [128.55.16.111]) by osi-east2.nersc.gov (8.9.2/8.9.2) with ESMTP id NAA03891; Wed, 24 Jul 2002 13:14:46 -0700 (PDT) Received: from gemini.nersc.gov (localhost [127.0.0.1]) by gemini.nersc.gov (Postfix) with ESMTP id 8DAD63B1AD; Wed, 24 Jul 2002 13:14:49 -0700 (PDT) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: twig les Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH problem (was ssh cipher) In-Reply-To: Message from twig les of "Wed, 24 Jul 2002 12:33:25 PDT." <20020724193325.92208.qmail@web10107.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-800317256P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 24 Jul 2002 13:14:49 -0700 From: Eli Dart Message-Id: <20020724201450.8DAD63B1AD@gemini.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-800317256P Content-Type: text/plain; charset=us-ascii I seem to remember encountering something like this some time ago. Do you have tcp wrappers configured to display a banner? I think this was what caused the problem for me -- the banner that tcp wrappers injected fouled up the ssh protocol negotiations. I could be wrong about this....memory is fuzzy today... --eli In reply to twig les : > Well the problem isn't ssh.com vs openssh. I sshed > from the pos box to my sniffer and got in, but > couldn't ssh back again. This is the verbose output > from the session from the pos to the sniffer: > > > # ssh -v -v -v -l snort 10.x.x.x > OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL > 0x0090600f > Contains Cisco Secure Intrusion Detection System > modifications. > Domestic strength encryption. (k9). > debug: Reading configuration data /etc/ssh_config > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > debug: Connecting to 10.20.0.124 [10.20.0.124] port > 922. > debug: Allocated local port 1023. > debug: Connection established. > debug: identity file /root/.ssh/identity type 3 > debug: identity file /root/.ssh/id_dsa type 3 > debug: Remote protocol version 1.99, remote software > version OpenSSH_2.3.0 FreeBSD localisations 20010713 > debug: match: OpenSSH_2.3.0 FreeBSD localisations > 20010713 pat ^OpenSSH_2\.3\.0 > debug: Local version string SSH-1.5-OpenSSH_2.5.1p2 > debug: Waiting for server public key. > debug: Received server public key (768 bits) and host > key (1024 bits). > > debug: Encryption type: 3des > debug: Sent encrypted session key. > debug: Installing crc compensation attack detector. > debug: Received encrypted confirmation. > debug: Doing password authentication. > snort@10.x.x.x's password: > > > > But when sshing back, I got the following: > > > %ssh -c 3des-cbc -v -v -v 10.20.0.90 > SSH Version OpenSSH_2.3.0 FreeBSD localisations > 20010713, protocol versions 1.5/2.0. > Compiled with SSL (0x0090601f). > debug: Reading configuration data /etc/ssh/ssh_config > debug: ssh_connect: getuid 1001 geteuid 1001 anon 1 > debug: Connecting to (null) [10.20.0.90] port 22. > debug: Connection established. > ssh_exchange_identification: Connection closed by > remote host > debug: Calling cleanup 0x8058204(0x0) > > > Things I've ruled out: > Incompatibility with ssh.com and openssh (can ssh from > sniffer to ssh.com boxes). > Wrong user > Wrong listening port > Unallowed source IP (I can telnet in, but not SSH) > Wrong cipher - it's using 3des > > Am I destined to bang my head on the desk and load > Warcraft 3? > > > --- Peter Pentchev wrote: > > On Wed, Jul 24, 2002 at 11:02:09AM -0700, twig les > > wrote: > > > All, I have a POS box running an old version of > > > openssh (not allowed to upgrade it, sigh). Right > > now > > > our jumpoff point is running ssh.com software and > > gets > > > the following error immediately: > > > > > > ssh 1.1.1.1 > > > warning: Authentication failed. > > > Disconnected; connection lost (Connection > > closed.). > > > > > > I've tried specifying the user and even the port > > but I > > > think the problem may be that the openssh (2.5 i > > > think) may not be using the correct cipher. How > > do I > > > check what cipher this guy is using? Also, this > > box > > > has got to be logging the connections attempts > > > somewhere, but I haven't seen it. > > > > Does the ssh.com SSH client have something > > resembling > > the OpenSSH client's "-v" command-line option, and > > especially its "-v -v -v" functionality? :) > > > > G'luck, > > Peter > > > > -- > > Peter Pentchev roam@ringlet.net roam@FreeBSD.org > > PGP key: > > http://people.FreeBSD.org/~roam/roam.key.asc > > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 > > B68D 1619 4553 > > No language can express every thought unambiguously, > > least of all this one. > > > > > ATTACHMENT part 2 application/pgp-signature > > > > ===== > ----------------------------------------------------------- > All warfare is based on deception. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - Feel better, live better > http://health.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==_Exmh_-800317256P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE9Pwq3LTFEeF+CsrMRAimHAKDgpt5wNBepezusHSebo4Pn4i0EwwCfUcyf Ddy7ofeE6sYrnLqEc8mgKEI= =Juq1 -----END PGP SIGNATURE----- --==_Exmh_-800317256P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message