ssh login stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY"
walter harms
wharms at bfs.de
Mon Oct 23 19:55:57 AWST 2017
Hello Hari,
nothing special just a hint
when sending logs just replace real IPs with something like 192.168.1.*
otherwise you may reveal information you do not want to reveal.
Just remember that searchengines will find you post now and in 10 years.
re,
wh
Am 23.10.2017 13:12, schrieb Hariharasubramanian Ramasubramanian:
>
> ssh login gets stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" at random.
>
> However forcing ssh to use 3des cipher suite makes the login go through.
>
> What causes the login to succeed when cipher suite is forced but fail
> otherwise ?
>
> Here are the debug for 3 different use cases:
> 1) successful login attempt
> 2) failed login attempt
> 3) forced 3des cipher suite
>
> ==============================================================================
> 1) Successful login attempt
> ==============================================================================
> -bash-4.1$ ssh -vvv root at wsbmc011
> OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012
> debug1: Reading configuration
> data /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to wsbmc011 [9.3.21.42] port 22.
> debug1: Connection established.
> debug3: Incorrect RSA1 identifier
> debug3: Could not load
> "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa" as a RSA1 public
> key
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa type 1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa-cert type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa-cert type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version
> dropbear_2016.74
> debug1: no match: dropbear_2016.74
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.8
> debug2: fd 3 setting O_NONBLOCK
> debug3: load_hostkeys: loading entries for host "wsbmc011" from file
> "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23
> debug3: load_hostkeys: loaded 1 keys
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit:
> ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh .com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-
>
> sha2-nistp521,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2 at matt.ucc.asn.au
> debug2: kex_parse_kexinit: ssh-rsa
> debug2: kex_parse_kexinit:
> aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
> debug2: kex_parse_kexinit:
> aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
> debug2: kex_parse_kexinit:
> hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
> debug2: kex_parse_kexinit:
> hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
> debug2: kex_parse_kexinit: zlib at openssh.com,none
> debug2: kex_parse_kexinit: zlib at openssh.com,none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: RSA
> 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82
> debug3: load_hostkeys: loading entries for host "wsbmc011" from file
> "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host "9.3.21.42" from file
> "/gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in
> file /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:15
> debug3: load_hostkeys: loaded 1 keys
> debug1: Host 'wsbmc011' is known and matches the RSA host key.
> debug1: Found key
> in /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/known_hosts:23
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa
> (0x9dd410)
> debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa
> ((nil))
> debug2: key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa
> ((nil))
> debug1: Authentications that can continue: publickey,password
> debug3: start over, passed a different list publickey,password
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public
> key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug1: Trying private
> key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa
> debug3: no such
> identity: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_dsa
> debug1: Trying private
> key: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa
> debug3: no such
> identity: /gsa/ausgsa/projects/i/indiateam04/hramasub/.ssh/id_ecdsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> root at wsbmc011's password:
> ==============================================================================
> 2) failed login attempt
> ==============================================================================
> $ ssh -v root at wsbmc011
> OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012
> debug1: Reading configuration
> data /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to wsbmc011 [9.3.21.42] port 22.
> debug1: Connection established.
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa type 1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version
> dropbear_2016.74
> debug1: no match: dropbear_2016.74
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.8
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> ==============================================================================
> 3) forced 3des cipher suite
> ==============================================================================
> $ ssh -c 3des -v root at wsbmc011
> OpenSSH_5.8p2, OpenSSL 1.0.0g 18 Jan 2012
> debug1: Reading configuration
> data /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to wsbmc011 [9.3.21.42] port 22.
> debug1: Connection established.
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa type 1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa-cert type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa-cert type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa type -1
> debug1: identity
> file /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version
> dropbear_2016.74
> debug1: no match: dropbear_2016.74
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.8
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client 3des-cbc hmac-md5 none
> debug1: kex: client->server 3des-cbc hmac-md5 none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: RSA
> 70:28:98:8f:c1:8b:0e:33:a2:cc:e5:3d:c3:d0:f3:82
> debug1: Host 'wsbmc011' is known and matches the RSA host key.
> debug1: Found key
> in /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/known_hosts:26
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Offering RSA public
> key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_rsa
> debug1: Authentications that can continue: publickey,password
> debug1: Trying private
> key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_dsa
> debug1: Trying private
> key: /gsa/ausgsa/projects/i/indiateam04/gkeishin/.ssh/id_ecdsa
> debug1: Next authentication method: password
> root at wsbmc011's password:
>
> Thanks in advance,
> Hari !
>
> Hariharasubramanian R.
> Power Firmware Development
> IBM India Systems & Technology Lab, Bangalore, India
> Phone: +91 80 4025 6950
>
More information about the Dropbear
mailing list