From owner-freebsd-security Wed Jul 24 16:39:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A99337B400 for ; Wed, 24 Jul 2002 16:39:23 -0700 (PDT) Received: from web10101.mail.yahoo.com (web10101.mail.yahoo.com [216.136.130.51]) by mx1.FreeBSD.org (Postfix) with SMTP id C739243E5E for ; Wed, 24 Jul 2002 16:39:22 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020724233922.16648.qmail@web10101.mail.yahoo.com> Received: from [68.5.49.41] by web10101.mail.yahoo.com via HTTP; Wed, 24 Jul 2002 16:39:22 PDT Date: Wed, 24 Jul 2002 16:39:22 -0700 (PDT) From: twig les Subject: Re: SSH problem (was ssh cipher) - solved To: Eli Dart Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020724201450.8DAD63B1AD@gemini.nersc.gov> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org K, the problem turned out to be a hosts.allow dirty syntax problem (since it's sooooo complex) AND a cipher one (we use aes, this old thing can't). ack, someone magiced away the sftp-server too. grrrr, I hate hand-me-downs. Anyhoo thanx for the pointers. --- Eli Dart wrote: > I seem to remember encountering something like this > some time ago. > > Do you have tcp wrappers configured to display a > banner? I think > this was what caused the problem for me -- the > banner that tcp > wrappers injected fouled up the ssh protocol > negotiations. > > I could be wrong about this....memory is fuzzy > today... > > --eli > > > In reply to twig les : > > > Well the problem isn't ssh.com vs openssh. I > sshed > > from the pos box to my sniffer and got in, but > > couldn't ssh back again. This is the verbose > output > > from the session from the pos to the sniffer: > > > > > > # ssh -v -v -v -l snort 10.x.x.x > > OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL > > 0x0090600f > > Contains Cisco Secure Intrusion Detection System > > modifications. > > Domestic strength encryption. (k9). > > debug: Reading configuration data /etc/ssh_config > > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > > debug: Connecting to 10.20.0.124 [10.20.0.124] > port > > 922. > > debug: Allocated local port 1023. > > debug: Connection established. > > debug: identity file /root/.ssh/identity type 3 > > debug: identity file /root/.ssh/id_dsa type 3 > > debug: Remote protocol version 1.99, remote > software > > version OpenSSH_2.3.0 FreeBSD localisations > 20010713 > > debug: match: OpenSSH_2.3.0 FreeBSD localisations > > 20010713 pat ^OpenSSH_2\.3\.0 > > debug: Local version string > SSH-1.5-OpenSSH_2.5.1p2 > > debug: Waiting for server public key. > > debug: Received server public key (768 bits) and > host > > key (1024 bits). > > > > debug: Encryption type: 3des > > debug: Sent encrypted session key. > > debug: Installing crc compensation attack > detector. > > debug: Received encrypted confirmation. > > debug: Doing password authentication. > > snort@10.x.x.x's password: > > > > > > > > But when sshing back, I got the following: > > > > > > %ssh -c 3des-cbc -v -v -v 10.20.0.90 > > SSH Version OpenSSH_2.3.0 FreeBSD localisations > > 20010713, protocol versions 1.5/2.0. > > Compiled with SSL (0x0090601f). > > debug: Reading configuration data > /etc/ssh/ssh_config > > debug: ssh_connect: getuid 1001 geteuid 1001 anon > 1 > > debug: Connecting to (null) [10.20.0.90] port 22. > > debug: Connection established. > > ssh_exchange_identification: Connection closed by > > remote host > > debug: Calling cleanup 0x8058204(0x0) > > > > > > Things I've ruled out: > > Incompatibility with ssh.com and openssh (can ssh > from > > sniffer to ssh.com boxes). > > Wrong user > > Wrong listening port > > Unallowed source IP (I can telnet in, but not SSH) > > Wrong cipher - it's using 3des > > > > Am I destined to bang my head on the desk and load > > Warcraft 3? > > > > > > --- Peter Pentchev wrote: > > > On Wed, Jul 24, 2002 at 11:02:09AM -0700, twig > les > > > wrote: > > > > All, I have a POS box running an old version > of > > > > openssh (not allowed to upgrade it, sigh). > Right > > > now > > > > our jumpoff point is running ssh.com software > and > > > gets > > > > the following error immediately: > > > > > > > > ssh 1.1.1.1 > > > > warning: Authentication failed. > > > > Disconnected; connection lost (Connection > > > closed.). > > > > > > > > I've tried specifying the user and even the > port > > > but I > > > > think the problem may be that the openssh (2.5 > i > > > > think) may not be using the correct cipher. > How > > > do I > > > > check what cipher this guy is using? Also, > this > > > box > > > > has got to be logging the connections attempts > > > > somewhere, but I haven't seen it. > > > > > > Does the ssh.com SSH client have something > > > resembling > > > the OpenSSH client's "-v" command-line option, > and > > > especially its "-v -v -v" functionality? :) > > > > > > G'luck, > > > Peter > > > > > > -- > > > Peter Pentchev roam@ringlet.net roam@FreeBSD.org > > > PGP key: > > > http://people.FreeBSD.org/~roam/roam.key.asc > > > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E > ED18 > > > B68D 1619 4553 > > > No language can express every thought > unambiguously, > > > least of all this one. > > > > > > > > ATTACHMENT part 2 application/pgp-signature > > > > > > > > ===== > > > ----------------------------------------------------------- > > All warfare is based on deception. > > > ----------------------------------------------------------- > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Health - Feel better, live better > > http://health.yahoo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > ATTACHMENT part 2 application/pgp-signature ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message