Re: [9fans] ssh2 (at least the legacy version) seems incompatible

[Ingo Krabbe <ikrabbe.ask@gmail.com>]

Actually openssh-6.7 disabled some "insecure" key exchange algorithms and ciphers and the pln9 netssh command seems to offer some key exchange that it does not support fully.

To allow communication with openssh-6.7 servers, as used to with <=openssh-6.6 servers, it seems most convenient to me, to setup /etc/ssh/sshd_config of the openssh server to allow the "insecure" algorithms that are wiped out of the default algorithms the openssh servers offer.

The sshd_config lines that allow the needed algorithms and honour the defaults of the new version of the openssh-6.7 server (as described on the manual page) are:

# Ciphers and keying
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

regards,

ingo

> ok, i found some more diagnostic messages in /sys/log/sshdebug:
> 
> 	p9 Jan 21 10:55:48 netssh: client user <nil>@192.168.1.12 id 0 id string `SSH-2.0-OpenSSH_6.7p1-hpn14v5
> 	p9 Jan 21 10:55:48 netssh: client user <nil>@192.168.1.12 id 0 sent KEX algs: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
> 	…
> 	p9 Jan 21 10:55:49 netssh: client user <nil>@192.168.1.12 id 0 using diffie-hellman-group14-sha1 Kex algorithm and ssh-rsa PKA
> 
> in contrast to:
> 	p9 Jan 21 10:57:31 netssh: client user <nil>@192.168.122.6 id 0 id string `SSH-2.0-OpenSSH_6.6.1p1-hpn14v5	
> 	…
> 	p9 Jan 21 10:57:31 netssh: client user <nil>@192.168.122.6 id 0 using diffie-hellman-group1-sha1 Kex algorithm and ssh-rsa PKA
> 
> The problem might be that `dh.c` has an empty implementation of `dh_client142`
> 
> 	Kex dh1sha1 = {
> 		"diffie-hellman-group1-sha1",
> 		dh_server1,
> 		dh_client11,
> 		dh_client12
> 	};
> 	
> 	Kex dh14sha1 = {
> 		"diffie-hellman-group14-sha1",
> 		dh_server14,
> 		dh_client141,
> 		dh_client142
> 	};
> 
> 
>> Hi,
>> 
>> the netssh key exchange seems to be incompatible with openssh-6.7. 
>> 
>> I installed a new version of openssh on a gentoo host recently, that automatically came in as a stable update package for a gentoo-amd64 system:
>> 
>> 	OpenSSH_6.7p1-hpn14v5, OpenSSL 1.0.1k 8 Jan 2015
>> 
>> When calling this system with a plan9 (legacy) ssh2, the netssh process does not provide any data in /net/ssh/keys. The read at /sys/src/cmd/ssh2/ssh2.c:/^keyproc/+19, reads n=0 bytes when connecting to the version of OpenSSH above.
>> 
>> I don't understand enough of the netssh keyfile infrastructure to debug this logistic behaviour of /net/ssh/keys.
>> 
>> A downgrade to
>> 
>> 	OpenSSH_6.6p1-hpn14v4, OpenSSL 1.0.1k 8 Jan 2015
>> 
>> gives me ssh access to the gentoo system again.
>> 
>> If I find out more, I will post a followup. But maybe it would be helpfull if someone with more insight into netssh tries to resolve this bug.
>> 
>> regards,
>> 
>> ingo krabbe