From ptspts at gmail.com Mon Oct 2 00:26:36 2017 From: ptspts at gmail.com (=?UTF-8?B?UMOpdGVyIFN6YWLDsw==?=) Date: Sun, 1 Oct 2017 18:26:36 +0200 Subject: proof-of-concept ed25519 crypto and other additions implemented Message-ID: Dear Dropbear Authors, Thank you for your work on Dropbear! It's a great SSH server and toolset for resource-constrained systems, I use it every day. This weekend I've implemented a couple of features I've always wanted to have: * Added ssh-ed25519 crypto for server host keys and user keys. The implementation is based on TweetNaCl v20140427. * Added environment variable propagation (similar to OpenSSH AcceptEnv, command-line flag -A) to Dropbear sshd. * Added autodetection and loading of OpenSSH hostkeys to Dropbear sshd (with `make OPENSSHHOSTKEYLOAD=1'). * Added flag to dropbearkey to generate private keys in OpenSSH format directly (dropbearkey -Z openssh, with `make WRITEOPENSSHKEYS=1'). * Improved some command-line flags (e.g. dropbear -E is always available). * Compilation instructions for pts-xstatic (statically linked i386 Linux binary). Binary size is 350456 bytes. * Added option to compile without loading any system hostkeys (e.g. from /etc/dropbear) (with `make NOSYSHOSTKEYLOAD=1'). * Made dropbearkey behavior is more compatible with ssh-keygen in OpenSSH: ** dropbearkey now creates a .pub file. ** -b bits flag. ** -C comment flag. (The comment will be added to the public key file, and not to the private key file.) ** -P passphrase flag. Only the empty passhprase is allowed. ** -N passphrase flag. Only the empty passhprase is allowed. * Added autodection of the input private key file format, as `dropbearconvert any'. The code is in https://github.com/pts/pts-dropbear, which is a fork of dropbear-2017.75.tar.bz2. It would be great if these improvements could be merged to upstream Dropbear, so all Dropbear users would benefit. Please let me know what the best course of action would be to make this happen, and how I can help. Best regards, P?ter Szab? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171001/9e8bef99/attachment.htm From matt at ucc.asn.au Wed Oct 4 22:49:33 2017 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 4 Oct 2017 22:49:33 +0800 Subject: proof-of-concept ed25519 crypto and other additions implemented In-Reply-To: References: Message-ID: <20E69B0B-E85D-4D74-9471-03C241AF5414@ucc.asn.au> Hi P?ter, Thank you for the work. I think most of these look useful and could be merged. I'll have a closer look over them in the next week or so with some more detailed comments. A few comments for now: - I'm tending to avoid "make CONFIGVAR=1", I think all of yours can be in options.h instead? You don't have to worry about pulling in unneeded size like keyimport.o - if nothing is called in that file then it will be excluded from the linked executable. - Can the patches be made from a fork of the Dropbear tree, with the 2017.75 tag? That will make merging/cherry picking easier https://github.com/mkj/dropbear/tree/DROPBEAR_2017.75 - I don't like the pointer arithmetic https://github.com/pts/pts-dropbear/blob/4bb002ccad33a5fa55b88b4216586b09881e0d3c/ed25519.c#L70 if (buf->pos + 83 > buf->len || 0 != memcmp(buf->data + buf->pos, "\0\0\0\x0bssh-ed25519\0\0\0@", 19) ) return DROPBEAR_FAILURE; memcpy(key->spk, buf->data + buf->pos + 19, 64); Instead it should use buf_getstring(), buf_getbufstring(), buf_incrwritepos() etc. - Agree that SHA512 from libtomcrypt should be used instead. - what is the reason for wanting a 8192 bit RSA key? I see you mentioned chacha20-poly1305 in the TODO. If you (or anyone else) is going to implement that it would be worth using the upcoming libtomcrypt 1.18 release which supports those. The mode used by OpenSSH may be a bit different though, with a separate cipher for lengths. Cheers, Matt > On Mon 2/10/2017, at 12:26 am, P?ter Szab? wrote: > > Dear Dropbear Authors, > > Thank you for your work on Dropbear! It's a great SSH server and toolset for resource-constrained systems, I use it every day. > > This weekend I've implemented a couple of features I've always wanted to have: > > * Added ssh-ed25519 crypto for server host keys and user keys. The implementation is based on TweetNaCl v20140427. > * Added environment variable propagation (similar to OpenSSH AcceptEnv, command-line flag -A) to Dropbear sshd. > * Added autodetection and loading of OpenSSH hostkeys to Dropbear sshd (with `make OPENSSHHOSTKEYLOAD=1'). > * Added flag to dropbearkey to generate private keys in OpenSSH format directly (dropbearkey -Z openssh, with `make WRITEOPENSSHKEYS=1'). > * Improved some command-line flags (e.g. dropbear -E is always available). > * Compilation instructions for pts-xstatic (statically linked i386 Linux binary). Binary size is 350456 bytes. > * Added option to compile without loading any system hostkeys (e.g. from /etc/dropbear) (with `make NOSYSHOSTKEYLOAD=1'). > * Made dropbearkey behavior is more compatible with ssh-keygen in OpenSSH: > ** dropbearkey now creates a .pub file. > ** -b bits flag. > ** -C comment flag. (The comment will be added to the public key file, and not to the private key file.) > ** -P passphrase flag. Only the empty passhprase is allowed. > ** -N passphrase flag. Only the empty passhprase is allowed. > * Added autodection of the input private key file format, as `dropbearconvert any'. > > The code is in https://github.com/pts/pts-dropbear , which is a fork of > dropbear-2017.75.tar.bz2. > > It would be great if these improvements could be merged to upstream Dropbear, so all Dropbear users would benefit. Please let me know what the best course of action would be to make this happen, and how I can help. > > Best regards, > > P?ter Szab? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171004/a96dabe2/attachment-0001.htm From hramasub at in.ibm.com Wed Oct 11 11:25:45 2017 From: hramasub at in.ibm.com (Hariharasubramanian Ramasubramanian) Date: Wed, 11 Oct 2017 03:25:45 +0000 Subject: ssh disconnects due to corrupt packet (dropbear compiled with DEBUG_TRACE) Message-ID: An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171011/90028e15/attachment.htm From matt at ucc.asn.au Wed Oct 11 18:47:59 2017 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 11 Oct 2017 18:47:59 +0800 Subject: ssh disconnects due to corrupt packet (dropbear compiled with DEBUG_TRACE) In-Reply-To: References: Message-ID: <96beee2180a760e4ea7b0af207da8ab3@ucc.asn.au> Hi, It looks like you're running in from inetd and the TRACE output is ending up getting sent over the network socket. The length 1414676803 is 'TRAC' converted to ascii. I guess dropbear is running with "-E", or what is the configuration? That won't work, you'll need to log to syslog instead (the default) when using inetd. I can't think of any known issues in 2016.74 causing messages like that - if you keep seeing it could you send me the logs/pcap off-list, without -v. Cheers, Matt On 2017-10-11 11:25 am, Hariharasubramanian Ramasubramanian wrote: > I was observing occasional connection disconnect during session setup > with dropber version 2016.74. > > I compiled dropbear (version 2016.74) with DEBUG_TRACE flag on (in > debug.h) to help me debug these session setup errors. > > However when I run dropbear with the -v switch, client fails to > connect, _everytime_. > > The client (9.41.166.131) is OpenSSH_5.8p2 running on RHEL 6.4. > The server (9.3.21.44) is dropbear_2016.74 > > 1) Is this a known issue in dropbear_2016.74 ? > 2) Also please suggest how I can debug ssh session setup failures with > dropbear server ? > > ---------------------------------------------------------------------------------------------------------------------------- > The output of ssh -vvv root at 9.3.21.44 is as follows: > -bash-4.1$ ssh -vvv root at 9.3.21.44 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to 9.3.21.44 [9.3.21.44] port 22. > debug1: Connection established. > debug1: identity file > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_rsa type -1 > debug1: identity file > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_rsa-cert type -1 > debug1: identity file > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_dsa type -1 > debug1: identity file > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_dsa-cert type -1 > debug1: identity file > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_ecdsa type -1 > debug1: identity file > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_ecdsa-cert type -1 > debug1: ssh_exchange_identification: [1522] Oct 09 11:35:43 Failed > loading /var/lib/dropbear/dropbear_rsa_host_key > debug1: ssh_exchange_identification: TRACE (1522) 0.000000: leave > loadhostkey > debug1: ssh_exchange_identification: TRACE (1522) 0.001107: enter > buf_get_rsa_priv_key > debug1: ssh_exchange_identification: TRACE (1522) 0.001398: enter > buf_get_rsa_pub_key > debug1: ssh_exchange_identification: TRACE (1522) 0.002371: leave > buf_get_rsa_pub_key: success > debug1: ssh_exchange_identification: TRACE (1522) 0.003364: leave > buf_get_rsa_priv_key > debug1: ssh_exchange_identification: TRACE (1522) 0.003685: leave > loadhostkey > debug1: ssh_exchange_identification: [1522] Oct 09 11:35:43 Failed > loading /etc/dropbear/dropbear_dss_host_key > debug1: ssh_exchange_identification: TRACE (1522) 0.009414: leave > loadhostkey > debug1: ssh_exchange_identification: [1522] Oct 09 11:35:43 Failed > loading /etc/dropbear/dropbear_ecdsa_host_key > debug1: ssh_exchange_identification: TRACE (1522) 0.014786: leave > loadhostkey > debug1: ssh_exchange_identification: TRACE (1522) 0.014964: Disabling > key type 1 > debug1: ssh_exchange_identification: TRACE (1522) 0.015427: Disabling > key type 2 > debug1: ssh_exchange_identification: TRACE (1522) 0.016107: Disabling > key type 3 > debug1: ssh_exchange_identification: TRACE (1522) 0.016541: Disabling > key type 4 > debug1: ssh_exchange_identification: [1522] Oct 09 11:35:43 Child > connection from ::ffff:9.41.166.131:49818 > debug1: ssh_exchange_identification: TRACE (1522) 0.030210: enter > session_init > debug1: ssh_exchange_identification: TRACE (1522) 0.030381: > setnonblocking: 0 > debug1: ssh_exchange_identification: TRACE (1522) 0.031095: leave > setnonblocking > debug1: ssh_exchange_identification: TRACE (1522) 0.031521: > setnonblocking: 0 > debug1: ssh_exchange_identification: TRACE (1522) 0.031948: leave > setnonblocking > debug1: ssh_exchange_identification: TRACE (1522) 0.032572: > update_channel_prio > debug1: ssh_exchange_identification: TRACE (1522) 0.033036: > update_channel_prio: not any > debug1: ssh_exchange_identification: TRACE (1522) 0.033453: Dropbear > priority transitioning 10 -> 11 > debug1: ssh_exchange_identification: TRACE (1522) 0.034171: > setnonblocking: 4 > debug1: ssh_exchange_identification: TRACE (1522) 0.034642: leave > setnonblocking > debug1: ssh_exchange_identification: TRACE (1522) 0.035068: > setnonblocking: 5 > debug1: ssh_exchange_identification: TRACE (1522) 0.035746: leave > setnonblocking > debug1: ssh_exchange_identification: TRACE (1522) 0.036801: leave > session_init > debug1: ssh_exchange_identification: TRACE (1522) 0.037927: > kexinitialise() > debug1: ssh_exchange_identification: TRACE (1522) 0.038795: > DATAALLOWED=0 > debug1: ssh_exchange_identification: TRACE (1522) 0.039085: -> KEXINIT > debug1: ssh_exchange_identification: TRACE (1522) 0.039748: enter > set_connect_fds > debug1: ssh_exchange_identification: TRACE (1522) 0.040495: > maybe_empty_reply_queue - no data allowed > debug1: ssh_exchange_identification: TRACE (1522) 0.040959: enter > handle_connect_fds > debug1: ssh_exchange_identification: TRACE (1522) 0.041604: leave > handle_connect_fds - end iter > debug1: Remote protocol version 2.0, remote software version > dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host "9.3.21.44" from file > "/afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/known_hosts:6 > debug3: load_hostkeys: loaded 1 keys > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: > ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2 at matt.ucc.asn.au > debug2: kex_parse_kexinit: ssh-rsa > debug2: kex_parse_kexinit: > aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > debug2: kex_parse_kexinit: > aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > debug2: kex_parse_kexinit: > hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 > debug2: kex_parse_kexinit: > hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 > debug2: kex_parse_kexinit: zlib at openssh.com,none > debug2: kex_parse_kexinit: zlib at openssh.com,none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > Bad packet length 1414676803. > Disconnecting: Packet corrupt > ---------------------------------------------------------------------------------------------------------------------------- > tcpdump of the session setup sequence is attached. > > thanks in advance, > Hariharasubramanian R. > Power Firmware Development > IBM India Systems & Technology Lab, Bangalore, India > Phone: +91 80 4025 5075 From hramasub at in.ibm.com Thu Oct 12 16:29:49 2017 From: hramasub at in.ibm.com (Hariharasubramanian Ramasubramanian) Date: Thu, 12 Oct 2017 13:59:49 +0530 Subject: ssh disconnects due to corrupt packet (dropbear compiled with DEBUG_TRACE) In-Reply-To: References: <96beee2180a760e4ea7b0af207da8ab3@ucc.asn.au> Message-ID: Thanks Matt. You are right that dropbear is being run from inetd through a systemd service file. However, the logs are configured to go into syslog (i.e. _no_ -E switch). ------------- The configuration in dropbear at .service is as follows: [Unit] Description=SSH Per-Connection Server Wants=dropbearkey.service After=syslog.target dropbearkey.service [Service] Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear" EnvironmentFile=-/etc/default/dropbear ExecStart=- at SBINDIR@/dropbear -i -I 5 -v -r ${DROPBEAR_RSAKEY_DIR}/ dropbear_rsa_host_key ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket KillMode=process ------------- > > From: Matt Johnston > To: Hariharasubramanian Ramasubramanian > Cc: dropbear at ucc.asn.au > Date: 10/11/2017 04:18 PM > Subject: Re: ssh disconnects due to corrupt packet (dropbear > compiled with DEBUG_TRACE) > > Hi, > > It looks like you're running in from inetd and the TRACE output is > ending up getting sent over the network socket. The length 1414676803 is > 'TRAC' converted to ascii. > I guess dropbear is running with "-E", or what is the configuration? > That won't work, you'll need to log to syslog instead (the default) when > using inetd. > I can't think of any known issues in 2016.74 causing messages like that > - if you keep seeing it could you send me the logs/pcap off-list, > without -v. > > Cheers, > Matt > > On 2017-10-11 11:25 am, Hariharasubramanian Ramasubramanian wrote: > > > I was observing occasional connection disconnect during session setup > > with dropber version 2016.74. > > > > I compiled dropbear (version 2016.74) with DEBUG_TRACE flag on (in > > debug.h) to help me debug these session setup errors. > > > > However when I run dropbear with the -v switch, client fails to > > connect, _everytime_. > > > > The client (9.41.166.131) is OpenSSH_5.8p2 running on RHEL 6.4. > > The server (9.3.21.44) is dropbear_2016.74 > > > > 1) Is this a known issue in dropbear_2016.74 ? > > 2) Also please suggest how I can debug ssh session setup failures with > > dropbear server ? > > > > > ---------------------------------------------------------------------------------------------------------------------------- > > The output of ssh -vvv root at 9.3.21.44 is as follows: > > -bash-4.1$ ssh -vvv root at 9.3.21.44 > > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: Applying options for * > > debug2: ssh_connect: needpriv 0 > > debug1: Connecting to 9.3.21.44 [9.3.21.44] port 22. > > debug1: Connection established. > > debug1: identity file > > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_rsa type -1 > > debug1: identity file > > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_rsa-cert type -1 > > debug1: identity file > > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_dsa type -1 > > debug1: identity file > > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_dsa-cert type -1 > > debug1: identity file > > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_ecdsa type -1 > > debug1: identity file > > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/id_ecdsa-cert type -1 > > debug1: ssh_exchange_identification: [1522] Oct 09 11:35:43 Failed > > loading /var/lib/dropbear/dropbear_rsa_host_key > > debug1: ssh_exchange_identification: TRACE (1522) 0.000000: leave > > loadhostkey > > debug1: ssh_exchange_identification: TRACE (1522) 0.001107: enter > > buf_get_rsa_priv_key > > debug1: ssh_exchange_identification: TRACE (1522) 0.001398: enter > > buf_get_rsa_pub_key > > debug1: ssh_exchange_identification: TRACE (1522) 0.002371: leave > > buf_get_rsa_pub_key: success > > debug1: ssh_exchange_identification: TRACE (1522) 0.003364: leave > > buf_get_rsa_priv_key > > debug1: ssh_exchange_identification: TRACE (1522) 0.003685: leave > > loadhostkey > > debug1: ssh_exchange_identification: [1522] Oct 09 11:35:43 Failed > > loading /etc/dropbear/dropbear_dss_host_key > > debug1: ssh_exchange_identification: TRACE (1522) 0.009414: leave > > loadhostkey > > debug1: ssh_exchange_identification: [1522] Oct 09 11:35:43 Failed > > loading /etc/dropbear/dropbear_ecdsa_host_key > > debug1: ssh_exchange_identification: TRACE (1522) 0.014786: leave > > loadhostkey > > debug1: ssh_exchange_identification: TRACE (1522) 0.014964: Disabling > > key type 1 > > debug1: ssh_exchange_identification: TRACE (1522) 0.015427: Disabling > > key type 2 > > debug1: ssh_exchange_identification: TRACE (1522) 0.016107: Disabling > > key type 3 > > debug1: ssh_exchange_identification: TRACE (1522) 0.016541: Disabling > > key type 4 > > debug1: ssh_exchange_identification: [1522] Oct 09 11:35:43 Child > > connection from ::ffff:9.41.166.131:49818 > > debug1: ssh_exchange_identification: TRACE (1522) 0.030210: enter > > session_init > > debug1: ssh_exchange_identification: TRACE (1522) 0.030381: > > setnonblocking: 0 > > debug1: ssh_exchange_identification: TRACE (1522) 0.031095: leave > > setnonblocking > > debug1: ssh_exchange_identification: TRACE (1522) 0.031521: > > setnonblocking: 0 > > debug1: ssh_exchange_identification: TRACE (1522) 0.031948: leave > > setnonblocking > > debug1: ssh_exchange_identification: TRACE (1522) 0.032572: > > update_channel_prio > > debug1: ssh_exchange_identification: TRACE (1522) 0.033036: > > update_channel_prio: not any > > debug1: ssh_exchange_identification: TRACE (1522) 0.033453: Dropbear > > priority transitioning 10 -> 11 > > debug1: ssh_exchange_identification: TRACE (1522) 0.034171: > > setnonblocking: 4 > > debug1: ssh_exchange_identification: TRACE (1522) 0.034642: leave > > setnonblocking > > debug1: ssh_exchange_identification: TRACE (1522) 0.035068: > > setnonblocking: 5 > > debug1: ssh_exchange_identification: TRACE (1522) 0.035746: leave > > setnonblocking > > debug1: ssh_exchange_identification: TRACE (1522) 0.036801: leave > > session_init > > debug1: ssh_exchange_identification: TRACE (1522) 0.037927: > > kexinitialise() > > debug1: ssh_exchange_identification: TRACE (1522) 0.038795: > > DATAALLOWED=0 > > debug1: ssh_exchange_identification: TRACE (1522) 0.039085: -> KEXINIT > > debug1: ssh_exchange_identification: TRACE (1522) 0.039748: enter > > set_connect_fds > > debug1: ssh_exchange_identification: TRACE (1522) 0.040495: > > maybe_empty_reply_queue - no data allowed > > debug1: ssh_exchange_identification: TRACE (1522) 0.040959: enter > > handle_connect_fds > > debug1: ssh_exchange_identification: TRACE (1522) 0.041604: leave > > handle_connect_fds - end iter > > debug1: Remote protocol version 2.0, remote software version > > dropbear_2016.74 > > debug1: no match: dropbear_2016.74 > > debug1: Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_5.8 > > debug2: fd 3 setting O_NONBLOCK > > debug3: load_hostkeys: loading entries for host "9.3.21.44" from file > > "/afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/known_hosts" > > debug3: load_hostkeys: found key type RSA in file > > /afs/awd.austin.ibm.com/usr/u2/hramasub/.ssh/known_hosts:6 > > debug3: load_hostkeys: loaded 1 keys > > debug3: order_hostkeyalgs: prefer hostkeyalgs: > > ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: > > ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie- > hellman-group-exchange-sha256,diffie-hellman-group-exchange- > sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: > > ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh- > rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384- > cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh- > dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2- > nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss > > debug2: kex_parse_kexinit: > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc, > 3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256- > cbc,arcfour,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc, > 3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256- > cbc,arcfour,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac- > ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac- > ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: > > curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2- > nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie- > hellman-group1-sha1,kexguess2 at matt.ucc.asn.au > > debug2: kex_parse_kexinit: ssh-rsa > > debug2: kex_parse_kexinit: > > aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256- > cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > > debug2: kex_parse_kexinit: > > aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256- > cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > > debug2: kex_parse_kexinit: > > hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 > > debug2: kex_parse_kexinit: > > hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 > > debug2: kex_parse_kexinit: zlib at openssh.com,none > > debug2: kex_parse_kexinit: zlib at openssh.com,none > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_setup: found hmac-md5 > > debug1: kex: server->client aes128-ctr hmac-md5 none > > debug2: mac_setup: found hmac-md5 > > debug1: kex: client->server aes128-ctr hmac-md5 none > > debug1: sending SSH2_MSG_KEX_ECDH_INIT > > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > > Bad packet length 1414676803. > > Disconnecting: Packet corrupt > > > ---------------------------------------------------------------------------------------------------------------------------- > > tcpdump of the session setup sequence is attached. > > > > thanks in advance, > > Hariharasubramanian R. > > Power Firmware Development > > IBM India Systems & Technology Lab, Bangalore, India > > Phone: +91 80 4025 5075 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171012/a2cd170b/attachment-0001.htm From hramasub at in.ibm.com Mon Oct 23 19:12:11 2017 From: hramasub at in.ibm.com (Hariharasubramanian Ramasubramanian) Date: Mon, 23 Oct 2017 16:42:11 +0530 Subject: ssh login stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" In-Reply-To: References: <96beee2180a760e4ea7b0af207da8ab3@ucc.asn.au> Message-ID: ssh login gets stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" at random. However forcing ssh to use 3des cipher suite makes the login go through. What causes the login to succeed when cipher suite is forced but fail otherwise ? Here are the debug for 3 different use cases: 1) successful login attempt 2) failed login attempt 3) forced 3des cipher suite ============================================================================== 1) Successful login attempt ============================================================================== -bash-4.1$ ssh -vvv root at wsbmc011 OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 debug1: Reading configuration data /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to wsbmc011 [9.3.21.42] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa" as a RSA1 public key debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa type 1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa-cert type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa-cert type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 debug1: no match: dropbear_2016.74 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "wsbmc011" from file "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh .com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa- sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2 at matt.ucc.asn.au debug2: kex_parse_kexinit: ssh-rsa debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 debug2: kex_parse_kexinit: zlib at openssh.com,none debug2: kex_parse_kexinit: zlib at openssh.com,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: RSA 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82 debug3: load_hostkeys: loading entries for host "wsbmc011" from file "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "9.3.21.42" from file "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:15 debug3: load_hostkeys: loaded 1 keys debug1: Host 'wsbmc011' is known and matches the RSA host key. debug1: Found key in /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa (0x9dd410) debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa ((nil)) debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa debug3: no such identity: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa debug3: no such identity: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password root at wsbmc011's password: ============================================================================== 2) failed login attempt ============================================================================== $ ssh -v root at wsbmc011 OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 debug1: Reading configuration data /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to wsbmc011 [9.3.21.42] port 22. debug1: Connection established. debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa type 1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 debug1: no match: dropbear_2016.74 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY ============================================================================== 3) forced 3des cipher suite ============================================================================== $ ssh -c 3des -v root at wsbmc011 OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 debug1: Reading configuration data /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to wsbmc011 [9.3.21.42] port 22. debug1: Connection established. debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa type 1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1 debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 debug1: no match: dropbear_2016.74 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client 3des-cbc hmac-md5 none debug1: kex: client->server 3des-cbc hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: RSA 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82 debug1: Host 'wsbmc011' is known and matches the RSA host key. debug1: Found key in /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/known_hosts:26 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa debug1: Next authentication method: password root at wsbmc011's password: Thanks in advance, Hari ! Hariharasubramanian R. Power Firmware Development IBM India Systems & Technology Lab, Bangalore, India Phone: +91 80 4025 6950 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171023/98885973/attachment-0001.htm From wharms at bfs.de Mon Oct 23 19:55:57 2017 From: wharms at bfs.de (walter harms) Date: Mon, 23 Oct 2017 13:55:57 +0200 Subject: ssh login stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" In-Reply-To: References: <96beee2180a760e4ea7b0af207da8ab3@ucc.asn.au> Message-ID: <59EDD8CD.4040801@bfs.de> Hello Hari, nothing special just a hint when sending logs just replace real IPs with something like 192.168.1.* otherwise you may reveal information you do not want to reveal. Just remember that searchengines will find you post now and in 10 years. re, wh Am 23.10.2017 13:12, schrieb Hariharasubramanian Ramasubramanian: > > ssh login gets stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" at random. > > However forcing ssh to use 3des cipher suite makes the login go through. > > What causes the login to succeed when cipher suite is forced but fail > otherwise ? > > Here are the debug for 3 different use cases: > 1) successful login attempt > 2) failed login attempt > 3) forced 3des cipher suite > > ============================================================================== > 1) Successful login attempt > ============================================================================== > -bash-4.1$ ssh -vvv root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration > data /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug3: Incorrect RSA1 identifier > debug3: Could not load > "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa" as a RSA1 public > key > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa type 1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa-cert type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa-cert type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version > dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host "wsbmc011" from file > "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 > debug3: load_hostkeys: loaded 1 keys > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: > ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh .com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa- > > sha2-nistp521,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2 at matt.ucc.asn.au > debug2: kex_parse_kexinit: ssh-rsa > debug2: kex_parse_kexinit: > aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > debug2: kex_parse_kexinit: > aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > debug2: kex_parse_kexinit: > hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 > debug2: kex_parse_kexinit: > hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 > debug2: kex_parse_kexinit: zlib at openssh.com,none > debug2: kex_parse_kexinit: zlib at openssh.com,none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: RSA > 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82 > debug3: load_hostkeys: loading entries for host "wsbmc011" from file > "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "9.3.21.42" from file > "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in > file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:15 > debug3: load_hostkeys: loaded 1 keys > debug1: Host 'wsbmc011' is known and matches the RSA host key. > debug1: Found key > in /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa > (0x9dd410) > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa > ((nil)) > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa > ((nil)) > debug1: Authentications that can continue: publickey,password > debug3: start over, passed a different list publickey,password > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public > key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: publickey,password > debug1: Trying private > key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa > debug3: no such > identity: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa > debug1: Trying private > key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa > debug3: no such > identity: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > root at wsbmc011's password: > ============================================================================== > 2) failed login attempt > ============================================================================== > $ ssh -v root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration > data /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa type 1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version > dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > ============================================================================== > 3) forced 3des cipher suite > ============================================================================== > $ ssh -c 3des -v root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration > data /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa type 1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1 > debug1: identity > file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version > dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client 3des-cbc hmac-md5 none > debug1: kex: client->server 3des-cbc hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: RSA > 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82 > debug1: Host 'wsbmc011' is known and matches the RSA host key. > debug1: Found key > in /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/known_hosts:26 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password > debug1: Next authentication method: publickey > debug1: Offering RSA public > key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa > debug1: Authentications that can continue: publickey,password > debug1: Trying private > key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa > debug1: Trying private > key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa > debug1: Next authentication method: password > root at wsbmc011's password: > > Thanks in advance, > Hari ! > > Hariharasubramanian R. > Power Firmware Development > IBM India Systems & Technology Lab, Bangalore, India > Phone: +91 80 4025 6950 > From matt at ucc.asn.au Tue Oct 24 20:50:29 2017 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 24 Oct 2017 20:50:29 +0800 Subject: ssh login stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" In-Reply-To: References: <96beee2180a760e4ea7b0af207da8ab3@ucc.asn.au> Message-ID: <82DDA5C8-756D-416D-B56A-9F7F1F978BA2@ucc.asn.au> Hi Hari, Can you get a backtrace of the stuck dropbear process in 2) ? That might suggest what's going wrong. Cheers, Matt > On Mon 23/10/2017, at 7:12 pm, Hariharasubramanian Ramasubramanian wrote: > > ssh login gets stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" at random. > > However forcing ssh to use 3des cipher suite makes the login go through. > > What causes the login to succeed when cipher suite is forced but fail otherwise ? > > Here are the debug for 3 different use cases: > 1) successful login attempt > 2) failed login attempt > 3) forced 3des cipher suite > > ============================================================================== > 1) Successful login attempt > ============================================================================== > -bash-4.1$ ssh -vvv root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration data /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug3: Incorrect RSA1 identifier > debug3: Could not load "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa" as a RSA1 public key > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa type 1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host "wsbmc011" from file "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 > debug3: load_hostkeys: loaded 1 keys > debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh .com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa- sha2-nistp521,ssh-dss > debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2 at matt.ucc.asn.au > debug2: kex_parse_kexinit: ssh-rsa > debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 > debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5 > debug2: kex_parse_kexinit: zlib at openssh.com,none > debug2: kex_parse_kexinit: zlib at openssh.com,none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: RSA 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82 > debug3: load_hostkeys: loading entries for host "wsbmc011" from file "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "9.3.21.42" from file "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:15 > debug3: load_hostkeys: loaded 1 keys > debug1: Host 'wsbmc011' is known and matches the RSA host key. > debug1: Found key in /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa (0x9dd410) > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa ((nil)) > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa ((nil)) > debug1: Authentications that can continue: publickey,password > debug3: start over, passed a different list publickey,password > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: publickey,password > debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa > debug3: no such identity: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa > debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa > debug3: no such identity: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > root at wsbmc011's password: > ============================================================================== > 2) failed login attempt > ============================================================================== > $ ssh -v root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration data /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa type 1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > ============================================================================== > 3) forced 3des cipher suite > ============================================================================== > $ ssh -c 3des -v root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration data /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa type 1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client 3des-cbc hmac-md5 none > debug1: kex: client->server 3des-cbc hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: RSA 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82 > debug1: Host 'wsbmc011' is known and matches the RSA host key. > debug1: Found key in /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/known_hosts:26 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa > debug1: Authentications that can continue: publickey,password > debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa > debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa > debug1: Next authentication method: password > root at wsbmc011's password: > > Thanks in advance, > Hari ! > > Hariharasubramanian R. > Power Firmware Development > IBM India Systems & Technology Lab, Bangalore, India > Phone: +91 80 4025 6950 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171024/48f7d847/attachment-0001.htm From hramasub at in.ibm.com Wed Oct 25 22:45:32 2017 From: hramasub at in.ibm.com (Hariharasubramanian Ramasubramanian) Date: Wed, 25 Oct 2017 20:15:32 +0530 Subject: ssh login stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" In-Reply-To: References: <96beee2180a760e4ea7b0af207da8ab3@ucc.asn.au> Message-ID: I am trying to force a core dump of dropbear for gdb analysis. But I am unable to get dropbear to dump core. I tried kill [-QUIT | -ABRT | -BUS ]. None of those signals work. Relevant config related to core on my system is: root at wsbmc013:~# cat /proc/sys/kernel/core_pattern /tmp/core_%e.%p root at wsbmc013:~# ulimit -c unlimited dropbear is run with the following options: root at wsbmc013:~# ps -aef | grep dropbear | grep -v grep 1518 root 0:00 /usr/sbin/dropbear -i -r /var/lib/dropbear/dropbear_rsa_host_key -B regards, Hari ! Hariharasubramanian Ramasubramanian/India/IBM wrote on 10/23/2017 04:42:11 PM: > From: Hariharasubramanian Ramasubramanian/India/IBM > To: dropbear at ucc.asn.au > Cc: Matt Johnston > Date: 10/23/2017 04:42 PM > Subject: ssh login stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" > > ssh login gets stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" at random. > > However forcing ssh to use 3des cipher suite makes the login go through. > > What causes the login to succeed when cipher suite is forced but > fail otherwise ? > > Here are the debug for 3 different use cases: > 1) successful login attempt > 2) failed login attempt > 3) forced 3des cipher suite > > ============================================================================== > 1) Successful login attempt > ============================================================================== > -bash-4.1$ ssh -vvv root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration data /gsa/ausgsa/projects/i/ > indiateam04/hramasub/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug3: Incorrect RSA1 identifier > debug3: Could not load "/gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_rsa" as a RSA1 public key > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_rsa type 1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_rsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_dsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_dsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_ecdsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host "wsbmc011" from file > "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/ > projects/i/indiateam04/hramasub/.ssh/known_hosts:23 > debug3: load_hostkeys: loaded 1 keys > debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert- > v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2- > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14- > sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-rsa- > cert-v00 at openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert- > v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2- > nistp521-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh > .com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2- > nistp384,ecdsa- > sha2-nistp521,ssh-dss > debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256- > ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128- > cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256- > ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128- > cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: hmac-md5,hmac- > sha1,umac-64 at openssh.com,hmac-ripemd160,hmac- > ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac- > sha1,umac-64 at openssh.com,hmac-ripemd160,hmac- > ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2- > nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman- > group14-sha1,diffie-hellman-group1-sha1,kexguess2 at matt.ucc.asn.au > debug2: kex_parse_kexinit: ssh-rsa > debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,aes256- > cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr,aes128-cbc,aes256- > cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc > debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac- > sha2-256,hmac-sha2-512,hmac-md5 > debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac- > sha2-256,hmac-sha2-512,hmac-md5 > debug2: kex_parse_kexinit: zlib at openssh.com,none > debug2: kex_parse_kexinit: zlib at openssh.com,none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: RSA 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82 > debug3: load_hostkeys: loading entries for host "wsbmc011" from file > "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/ > projects/i/indiateam04/hramasub/.ssh/known_hosts:23 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "9.3.21.42" from > file "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file /gsa/ausgsa/ > projects/i/indiateam04/hramasub/.ssh/known_hosts:15 > debug3: load_hostkeys: loaded 1 keys > debug1: Host 'wsbmc011' is known and matches the RSA host key. > debug1: Found key in /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/known_hosts:23 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa (0x9dd410) > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa ((nil)) > debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa ((nil)) > debug1: Authentications that can continue: publickey,password > debug3: start over, passed a different list publickey,password > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: publickey,password > debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_dsa > debug3: no such identity: /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_dsa > debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_ecdsa > debug3: no such identity: /gsa/ausgsa/projects/i/indiateam04/ > hramasub/.ssh/id_ecdsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > root at wsbmc011's password: > ============================================================================== > 2) failed login attempt > ============================================================================== > $ ssh -v root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration data /gsa/ausgsa/projects/i/ > indiateam04/gkeishin/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_rsa type 1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_rsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_dsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_dsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_ecdsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > ============================================================================== > 3) forced 3des cipher suite > ============================================================================== > $ ssh -c 3des -v root at wsbmc011 > OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012 > debug1: Reading configuration data /gsa/ausgsa/projects/i/ > indiateam04/gkeishin/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to wsbmc011 [9.3.21.42] port 22. > debug1: Connection established. > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_rsa type 1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_rsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_dsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_dsa-cert type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_ecdsa type -1 > debug1: identity file /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 > debug1: no match: dropbear_2016.74 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.8 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client 3des-cbc hmac-md5 none > debug1: kex: client->server 3des-cbc hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: RSA 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82 > debug1: Host 'wsbmc011' is known and matches the RSA host key. > debug1: Found key in /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/known_hosts:26 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_rsa > debug1: Authentications that can continue: publickey,password > debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_dsa > debug1: Trying private key: /gsa/ausgsa/projects/i/indiateam04/ > gkeishin/.ssh/id_ecdsa > debug1: Next authentication method: password > root at wsbmc011's password: > > Thanks in advance, > Hari ! > > Hariharasubramanian R. > Power Firmware Development > IBM India Systems & Technology Lab, Bangalore, India > Phone: +91 80 4025 6950 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171025/1a090bb8/attachment-0001.htm From hans at atbas.org Fri Dec 1 02:47:32 2017 From: hans at atbas.org (Hans Harder) Date: Thu, 30 Nov 2017 19:47:32 +0100 Subject: dropbear as ssh honeypot Message-ID: Hi Matt, I was looking for a SSH honeypot... so I thought about adapting dropbear. Seems to me it would be easy to disable any successfull logins by adapting the file svr_auth.c with /* Send a success message to the user, and set the "authdone" flag */ void send_msg_userauth_success() { #if DROPBEAR_SVR_HONEYPOT send_msg_userauth_failure(0, 1); #else ... original code #endif } Is it really that easy to prevent any logins like that or am I forgetting something. I prefer dropbear besides all the other ssh honeypot implementations, because I already use dropbear and I know the code.... Hans -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171130/737b8a6e/attachment.htm From hugo.genesse at polymtl.ca Fri Dec 1 12:51:08 2017 From: hugo.genesse at polymtl.ca (Hugo Genesse) Date: Fri, 01 Dec 2017 04:51:08 +0000 Subject: Login attempt for nonexistent user on Alpine Linux Message-ID: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> Hi! I've been trying to use dropbear (compiled myself statically with ./configure; make STATIC=1) on a Alpine Linux Docker container (Linux 4.13.12-1-ARCH) with the latest Alpine Docker image (3.6 if I'm not mistaken). I run dropbear like this: "./dropbear -R" and can't login with proper credentials. With the "-E" switch I get the following: /root/dropbear -R -E [59] Dec 01 04:31:32 Running in background [60] Dec 01 04:31:36 Child connection from [60] Dec 01 04:31:36 Login attempt for nonexistent user from My credentials are right and the command to connect is: "ssh root at 127.0.0.1" (the port is properly forwarded to the container). With the ssh client verbose option I get: debug1: Next authentication method: password root at 127.0.0.1's password: debug1: Authentications that can continue: publickey,password Permission denied, please try again. root at 127.0.0.1's password: debug1: Authentications that can continue: publickey,password Permission denied, please try again. root at 127.0.0.1's password: debug1: Authentications that can continue: publickey,password debug1: No more authentication methods to try. root at 127.0.0.1: Permission denied (publickey,password). and the root account exists as you can see here: cat /etc/passwd root:x:0:0:root:/root:/bin/ash [...] I've seen issues that seem similar on the web: https://lists.debian.org/debian-arm/2012/06/msg00056.html The ones I found were fixed by copying libnss to another location but shouldn't a statically dropbear already solve this problem? I also have telnet activated and I can login with root (don't worry this won't be put into production, it is for demonstration purposes only). Is there any other things I should check or modify to be able to login with dropbear? Thanks! From nsz at port70.net Fri Dec 1 23:01:52 2017 From: nsz at port70.net (Szabolcs Nagy) Date: Fri, 1 Dec 2017 16:01:52 +0100 Subject: Login attempt for nonexistent user on Alpine Linux In-Reply-To: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> References: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> Message-ID: <20171201150152.GV15263@port70.net> * Hugo Genesse [2017-12-01 04:51:08 +0000]: > I've been trying to use dropbear (compiled myself statically with > ./configure; make STATIC=1) on a Alpine Linux Docker container (Linux > 4.13.12-1-ARCH) with the latest Alpine Docker image (3.6 if I'm not > mistaken). I run dropbear like this: "./dropbear -R" and can't login with > proper credentials. With the "-E" switch I get the following: > > /root/dropbear -R -E > [59] Dec 01 04:31:32 Running in background > [60] Dec 01 04:31:36 Child connection from > [60] Dec 01 04:31:36 Login attempt for nonexistent user from > i think you can use -vvv to see more detailed debug messages From danielhilst at gmail.com Fri Dec 1 23:52:16 2017 From: danielhilst at gmail.com (Daniel.) Date: Fri, 1 Dec 2017 13:52:16 -0200 Subject: Login attempt for nonexistent user on Alpine Linux In-Reply-To: <20171201150152.GV15263@port70.net> References: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> <20171201150152.GV15263@port70.net> Message-ID: Can you log in with another user? The root login may be disabled by security reasons. 2017-12-01 13:01 GMT-02:00 Szabolcs Nagy : > * Hugo Genesse [2017-12-01 04:51:08 +0000]: > > I've been trying to use dropbear (compiled myself statically with > > ./configure; make STATIC=1) on a Alpine Linux Docker container (Linux > > 4.13.12-1-ARCH) with the latest Alpine Docker image (3.6 if I'm not > > mistaken). I run dropbear like this: "./dropbear -R" and can't login with > > proper credentials. With the "-E" switch I get the following: > > > > /root/dropbear -R -E > > [59] Dec 01 04:31:32 Running in background > > [60] Dec 01 04:31:36 Child connection from > > [60] Dec 01 04:31:36 Login attempt for nonexistent user from > > > > i think you can use -vvv to see more detailed debug messages > -- ?If you're going to try, go all the way. Otherwise, don't even start. ..." Charles Bukowski -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20171201/ba879b6c/attachment.htm From matt at ucc.asn.au Sat Dec 2 00:53:33 2017 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 01 Dec 2017 16:53:33 +0000 Subject: Login attempt for nonexistent user on Alpine Linux In-Reply-To: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> References: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> Message-ID: Hi Hugo, Statically linking glibc isn't sufficient to make it standalone, you need to copy the libnss libraries - glibc looks for those at runtime. Another option is to build against musl libc instead. Cheers, Matt On 1 December 2017 12:51:08 pm AWST, Hugo Genesse wrote: > >Hi! > >I've been trying to use dropbear (compiled myself statically with >./configure; make STATIC=1) on a Alpine Linux Docker container (Linux >4.13.12-1-ARCH) with the latest Alpine Docker image (3.6 if I'm not >mistaken). I run dropbear like this: "./dropbear -R" and can't login >with proper credentials. With the "-E" switch I get the following: > > /root/dropbear -R -E >[59] Dec 01 04:31:32 Running in background >[60] Dec 01 04:31:36 Child connection from >[60] Dec 01 04:31:36 Login attempt for nonexistent user from > >My credentials are right and the command to connect is: "ssh >root at 127.0.0.1" (the port is properly forwarded to the container). >With the ssh client verbose option I get: > >debug1: Next authentication method: password >root at 127.0.0.1's password: >debug1: Authentications that can continue: publickey,password >Permission denied, please try again. >root at 127.0.0.1's password: >debug1: Authentications that can continue: publickey,password >Permission denied, please try again. >root at 127.0.0.1's password: >debug1: Authentications that can continue: publickey,password >debug1: No more authentication methods to try. >root at 127.0.0.1: Permission denied (publickey,password). > >and the root account exists as you can see here: > >cat /etc/passwd >root:x:0:0:root:/root:/bin/ash >[...] > >I've seen issues that seem similar on the web: >https://lists.debian.org/debian-arm/2012/06/msg00056.html >The ones I found were fixed by copying libnss to another location but >shouldn't a statically dropbear already solve this problem? > >I also have telnet activated and I can login with root (don't worry >this won't be put into production, it is for demonstration purposes >only). > >Is there any other things I should check or modify to be able to login > >with dropbear? > >Thanks! From hugo.genesse at polymtl.ca Sat Dec 2 01:07:25 2017 From: hugo.genesse at polymtl.ca (Hugo Genesse) Date: Fri, 01 Dec 2017 17:07:25 +0000 Subject: Login attempt for nonexistent user on Alpine Linux In-Reply-To: References: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> <20171201150152.GV15263@port70.net> Message-ID: <20171201170725.Horde.udopSm115R6TkBee_n2EB_O@www.imp.polymtl.ca> Hi! First, thanks for your replies. I created another account: admin:x:100:65533:Linux User,,,:/home/admin:/bin/ash Here is the output of with -vvv: debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin at 127.0.0.1's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password Permission denied, please try again. admin at 127.0.0.1's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password Permission denied, please try again. admin at 127.0.0.1's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug2: we did not send a packet, disable method debug1: No more authentication methods to try. admin at 127.0.0.1: Permission denied (publickey,password). and in the dropbear logs I still get: [67] Dec 01 17:03:47 Child connection from :40878 [67] Dec 01 17:03:47 Login attempt for nonexistent user from [...] I saw that I could create a configuration file in /etc/dropbear to allow root logins by it seems to be enabled by default and I would prefer just drop a binary on the device to enable ssh without changes to the system. Here is the openwrt page I'm referring: https://wiki.openwrt.org/doc/uci/dropbear Thanks! "Daniel." a ?crit?: > Can you log in with another user? The root login may be disabled by > security reasons. > > 2017-12-01 13:01 GMT-02:00 Szabolcs Nagy : > >> * Hugo Genesse [2017-12-01 04:51:08 +0000]: >> > I've been trying to use dropbear (compiled myself statically with >> > ./configure; make STATIC=1) on a Alpine Linux Docker container (Linux >> > 4.13.12-1-ARCH) with the latest Alpine Docker image (3.6 if I'm not >> > mistaken). I run dropbear like this: "./dropbear -R" and can't login with >> > proper credentials. With the "-E" switch I get the following: >> > >> > /root/dropbear -R -E >> > [59] Dec 01 04:31:32 Running in background >> > [60] Dec 01 04:31:36 Child connection from >> > [60] Dec 01 04:31:36 Login attempt for nonexistent user from >> > >> >> i think you can use -vvv to see more detailed debug messages >> > > > > -- > ?If you're going to try, go all the way. Otherwise, don't even start. ..." > Charles Bukowski From nsz at port70.net Sat Dec 2 01:30:40 2017 From: nsz at port70.net (Szabolcs Nagy) Date: Fri, 1 Dec 2017 18:30:40 +0100 Subject: Login attempt for nonexistent user on Alpine Linux In-Reply-To: <20171201170725.Horde.udopSm115R6TkBee_n2EB_O@www.imp.polymtl.ca> References: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> <20171201150152.GV15263@port70.net> <20171201170725.Horde.udopSm115R6TkBee_n2EB_O@www.imp.polymtl.ca> Message-ID: <20171201173038.GW15263@port70.net> * Hugo Genesse [2017-12-01 17:07:25 +0000]: > > First, thanks for your replies. I created another account: > > admin:x:100:65533:Linux User,,,:/home/admin:/bin/ash > > Here is the output of with -vvv: > you added -vvv on the client side instead of the server where the problem is... > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > admin at 127.0.0.1's password: > debug3: send packet: type 50 > debug2: we sent a password packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: publickey,password > Permission denied, please try again. > admin at 127.0.0.1's password: > debug3: send packet: type 50 > debug2: we sent a password packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: publickey,password > Permission denied, please try again. > admin at 127.0.0.1's password: > debug3: send packet: type 50 > debug2: we sent a password packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: publickey,password > debug2: we did not send a packet, disable method > debug1: No more authentication methods to try. > admin at 127.0.0.1: Permission denied (publickey,password). > > and in the dropbear logs I still get: > > [67] Dec 01 17:03:47 Child connection from :40878 > [67] Dec 01 17:03:47 Login attempt for nonexistent user from > [...] > make it more verbose, you will see what part of the user lookup fails. > I saw that I could create a configuration file in /etc/dropbear to allow > root logins by it seems to be enabled by default and I would prefer just > drop a binary on the device to enable ssh without changes to the system. > Here is the openwrt page I'm referring: > https://wiki.openwrt.org/doc/uci/dropbear > > Thanks! > > "Daniel." a ?crit?: > > > Can you log in with another user? The root login may be disabled by > > security reasons. > > > > 2017-12-01 13:01 GMT-02:00 Szabolcs Nagy : > > > > > * Hugo Genesse [2017-12-01 04:51:08 +0000]: > > > > I've been trying to use dropbear (compiled myself statically with > > > > ./configure; make STATIC=1) on a Alpine Linux Docker container (Linux > > > > 4.13.12-1-ARCH) with the latest Alpine Docker image (3.6 if I'm not > > > > mistaken). I run dropbear like this: "./dropbear -R" and can't login with > > > > proper credentials. With the "-E" switch I get the following: > > > > > > > > /root/dropbear -R -E > > > > [59] Dec 01 04:31:32 Running in background > > > > [60] Dec 01 04:31:36 Child connection from > > > > [60] Dec 01 04:31:36 Login attempt for nonexistent user from > > > > > > > > > > i think you can use -vvv to see more detailed debug messages > > > > > > > > > > > -- > > ?If you're going to try, go all the way. Otherwise, don't even start. ..." > > Charles Bukowski > > From nsz at port70.net Sat Dec 2 01:31:17 2017 From: nsz at port70.net (Szabolcs Nagy) Date: Fri, 1 Dec 2017 18:31:17 +0100 Subject: Login attempt for nonexistent user on Alpine Linux In-Reply-To: References: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> Message-ID: <20171201173117.GX15263@port70.net> * Matt Johnston [2017-12-01 16:53:33 +0000]: > Statically linking glibc isn't sufficient to make it's not glibc if it's on alpine linux From hugo.genesse at polymtl.ca Sat Dec 2 02:57:02 2017 From: hugo.genesse at polymtl.ca (Hugo Genesse) Date: Fri, 01 Dec 2017 18:57:02 +0000 Subject: Login attempt for nonexistent user on Alpine Linux In-Reply-To: <20171201173038.GW15263@port70.net> References: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> <20171201150152.GV15263@port70.net> <20171201170725.Horde.udopSm115R6TkBee_n2EB_O@www.imp.polymtl.ca> <20171201173038.GW15263@port70.net> Message-ID: <20171201185702.Horde.eVVyTOINi9Zgf6j9OwFBCTH@www.imp.polymtl.ca> -vvv on dropbear doesn't seem to be a valid option: 67b4c38f79c6:/usr/lib# /root/dropbear -R -E -vvv Invalid option -v Is my command correct? Szabolcs Nagy a ?crit?: > * Hugo Genesse [2017-12-01 17:07:25 +0000]: >> >> First, thanks for your replies. I created another account: >> >> admin:x:100:65533:Linux User,,,:/home/admin:/bin/ash >> >> Here is the output of with -vvv: >> > > you added -vvv on the client side instead of the server where the > problem is... > >> debug3: authmethod_lookup password >> debug3: remaining preferred: ,password >> debug3: authmethod_is_enabled password >> debug1: Next authentication method: password >> admin at 127.0.0.1's password: >> debug3: send packet: type 50 >> debug2: we sent a password packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: publickey,password >> Permission denied, please try again. >> admin at 127.0.0.1's password: >> debug3: send packet: type 50 >> debug2: we sent a password packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: publickey,password >> Permission denied, please try again. >> admin at 127.0.0.1's password: >> debug3: send packet: type 50 >> debug2: we sent a password packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: publickey,password >> debug2: we did not send a packet, disable method >> debug1: No more authentication methods to try. >> admin at 127.0.0.1: Permission denied (publickey,password). >> >> and in the dropbear logs I still get: >> >> [67] Dec 01 17:03:47 Child connection from :40878 >> [67] Dec 01 17:03:47 Login attempt for nonexistent user from >> [...] >> > > make it more verbose, you will see what part of the user > lookup fails. > >> I saw that I could create a configuration file in /etc/dropbear to allow >> root logins by it seems to be enabled by default and I would prefer just >> drop a binary on the device to enable ssh without changes to the system. >> Here is the openwrt page I'm referring: >> https://wiki.openwrt.org/doc/uci/dropbear >> >> Thanks! >> >> "Daniel." a ?crit?: >> >> > Can you log in with another user? The root login may be disabled by >> > security reasons. >> > >> > 2017-12-01 13:01 GMT-02:00 Szabolcs Nagy : >> > >> > > * Hugo Genesse [2017-12-01 04:51:08 +0000]: >> > > > I've been trying to use dropbear (compiled myself statically with >> > > > ./configure; make STATIC=1) on a Alpine Linux Docker container (Linux >> > > > 4.13.12-1-ARCH) with the latest Alpine Docker image (3.6 if I'm not >> > > > mistaken). I run dropbear like this: "./dropbear -R" and >> can't login with >> > > > proper credentials. With the "-E" switch I get the following: >> > > > >> > > > /root/dropbear -R -E >> > > > [59] Dec 01 04:31:32 Running in background >> > > > [60] Dec 01 04:31:36 Child connection from >> > > > [60] Dec 01 04:31:36 Login attempt for nonexistent user from >> > > > >> > > >> > > i think you can use -vvv to see more detailed debug messages >> > > >> > >> > >> > >> > -- >> > ?If you're going to try, go all the way. Otherwise, don't even start. ..." >> > Charles Bukowski >> >> From nsz at port70.net Sat Dec 2 03:08:49 2017 From: nsz at port70.net (Szabolcs Nagy) Date: Fri, 1 Dec 2017 20:08:49 +0100 Subject: Login attempt for nonexistent user on Alpine Linux In-Reply-To: <20171201185702.Horde.eVVyTOINi9Zgf6j9OwFBCTH@www.imp.polymtl.ca> References: <20171201045108.Horde.H3H37tbUnrwLhv2ELFOUBhV@www.imp.polymtl.ca> <20171201150152.GV15263@port70.net> <20171201170725.Horde.udopSm115R6TkBee_n2EB_O@www.imp.polymtl.ca> <20171201173038.GW15263@port70.net> <20171201185702.Horde.eVVyTOINi9Zgf6j9OwFBCTH@www.imp.polymtl.ca> Message-ID: <20171201190849.GY15263@port70.net> * Hugo Genesse [2017-12-01 18:57:02 +0000]: > > -vvv on dropbear doesn't seem to be a valid option: > > 67b4c38f79c6:/usr/lib# /root/dropbear -R -E -vvv > Invalid option -v > > Is my command correct? > ah -v is only supported if dropbear is built with CFLAGS=-DDEBUG_TRACE