From: Ingo Krabbe <ikrabbe.ask@gmail.com>
To: <9fans@9fans.net>
Subject: Re: [9fans] ssh2 (at least the legacy version) seems incompatible
Date: Wed, 21 Jan 2015 11:33:16 +0100 [thread overview]
Message-ID: <75c0d821d2062daac614f3d627277dbf@krabbe.dyndns.org> (raw)
In-Reply-To: <a8fa71495f69c3f5d4ff06cee54faef8@krabbe.dyndns.org>
Actually openssh-6.7 disabled some "insecure" key exchange algorithms and ciphers and the pln9 netssh command seems to offer some key exchange that it does not support fully.
To allow communication with openssh-6.7 servers, as used to with <=openssh-6.6 servers, it seems most convenient to me, to setup /etc/ssh/sshd_config of the openssh server to allow the "insecure" algorithms that are wiped out of the default algorithms the openssh servers offer.
The sshd_config lines that allow the needed algorithms and honour the defaults of the new version of the openssh-6.7 server (as described on the manual page) are:
# Ciphers and keying
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
regards,
ingo
> ok, i found some more diagnostic messages in /sys/log/sshdebug:
>
> p9 Jan 21 10:55:48 netssh: client user <nil>@192.168.1.12 id 0 id string `SSH-2.0-OpenSSH_6.7p1-hpn14v5
> p9 Jan 21 10:55:48 netssh: client user <nil>@192.168.1.12 id 0 sent KEX algs: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
> …
> p9 Jan 21 10:55:49 netssh: client user <nil>@192.168.1.12 id 0 using diffie-hellman-group14-sha1 Kex algorithm and ssh-rsa PKA
>
> in contrast to:
> p9 Jan 21 10:57:31 netssh: client user <nil>@192.168.122.6 id 0 id string `SSH-2.0-OpenSSH_6.6.1p1-hpn14v5
> …
> p9 Jan 21 10:57:31 netssh: client user <nil>@192.168.122.6 id 0 using diffie-hellman-group1-sha1 Kex algorithm and ssh-rsa PKA
>
> The problem might be that `dh.c` has an empty implementation of `dh_client142`
>
> Kex dh1sha1 = {
> "diffie-hellman-group1-sha1",
> dh_server1,
> dh_client11,
> dh_client12
> };
>
> Kex dh14sha1 = {
> "diffie-hellman-group14-sha1",
> dh_server14,
> dh_client141,
> dh_client142
> };
>
>
>> Hi,
>>
>> the netssh key exchange seems to be incompatible with openssh-6.7.
>>
>> I installed a new version of openssh on a gentoo host recently, that automatically came in as a stable update package for a gentoo-amd64 system:
>>
>> OpenSSH_6.7p1-hpn14v5, OpenSSL 1.0.1k 8 Jan 2015
>>
>> When calling this system with a plan9 (legacy) ssh2, the netssh process does not provide any data in /net/ssh/keys. The read at /sys/src/cmd/ssh2/ssh2.c:/^keyproc/+19, reads n=0 bytes when connecting to the version of OpenSSH above.
>>
>> I don't understand enough of the netssh keyfile infrastructure to debug this logistic behaviour of /net/ssh/keys.
>>
>> A downgrade to
>>
>> OpenSSH_6.6p1-hpn14v4, OpenSSL 1.0.1k 8 Jan 2015
>>
>> gives me ssh access to the gentoo system again.
>>
>> If I find out more, I will post a followup. But maybe it would be helpfull if someone with more insight into netssh tries to resolve this bug.
>>
>> regards,
>>
>> ingo krabbe
next prev parent reply other threads:[~2015-01-21 10:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-21 9:10 [9fans] ssh2 (at least the legacy version) seems incompatible with openssh-6.7 Ingo Krabbe
2015-01-21 10:08 ` [9fans] ssh2 (at least the legacy version) seems incompatible with Ingo Krabbe
2015-01-21 10:33 ` Ingo Krabbe [this message]
2015-01-27 15:16 ` Brian L. Stuart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75c0d821d2062daac614f3d627277dbf@krabbe.dyndns.org \
--to=ikrabbe.ask@gmail.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).