From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <75c0d821d2062daac614f3d627277dbf@krabbe.dyndns.org> To: <9fans@9fans.net> Date: Wed, 21 Jan 2015 11:33:16 +0100 From: Ingo Krabbe In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] ssh2 (at least the legacy version) seems incompatible Topicbox-Message-UUID: 3af7097e-ead9-11e9-9d60-3106f5b1d025 Actually openssh-6.7 disabled some "insecure" key exchange algorithms and= ciphers and the pln9 netssh command seems to offer some key exchange tha= t it does not support fully. To allow communication with openssh-6.7 servers, as used to with <=3Dopen= ssh-6.6 servers, it seems most convenient to me, to setup /etc/ssh/sshd_c= onfig of the openssh server to allow the "insecure" algorithms that are w= iped out of the default algorithms the openssh servers offer. The sshd_config lines that allow the needed algorithms and honour the def= aults of the new version of the openssh-6.7 server (as described on the m= anual page) are: # Ciphers and keying Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gc= m@openssh.com,aes128-cbc KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-n= istp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-he= llman-group14-sha1,diffie-hellman-group1-sha1 regards, ingo > ok, i found some more diagnostic messages in /sys/log/sshdebug: >=20 > p9 Jan 21 10:55:48 netssh: client user @192.168.1.12 id 0 id stri= ng `SSH-2.0-OpenSSH_6.7p1-hpn14v5 > p9 Jan 21 10:55:48 netssh: client user @192.168.1.12 id 0 sent KE= X algs: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 > =E2=80=A6 > p9 Jan 21 10:55:49 netssh: client user @192.168.1.12 id 0 using d= iffie-hellman-group14-sha1 Kex algorithm and ssh-rsa PKA >=20 > in contrast to: > p9 Jan 21 10:57:31 netssh: client user @192.168.122.6 id 0 id str= ing `SSH-2.0-OpenSSH_6.6.1p1-hpn14v5=09 > =E2=80=A6 > p9 Jan 21 10:57:31 netssh: client user @192.168.122.6 id 0 using = diffie-hellman-group1-sha1 Kex algorithm and ssh-rsa PKA >=20 > The problem might be that `dh.c` has an empty implementation of `dh_cli= ent142` >=20 > Kex dh1sha1 =3D { > "diffie-hellman-group1-sha1", > dh_server1, > dh_client11, > dh_client12 > }; > =09 > Kex dh14sha1 =3D { > "diffie-hellman-group14-sha1", > dh_server14, > dh_client141, > dh_client142 > }; >=20 >=20 >> Hi, >>=20 >> the netssh key exchange seems to be incompatible with openssh-6.7.=20 >>=20 >> I installed a new version of openssh on a gentoo host recently, that a= utomatically came in as a stable update package for a gentoo-amd64 system= : >>=20 >> OpenSSH_6.7p1-hpn14v5, OpenSSL 1.0.1k 8 Jan 2015 >>=20 >> When calling this system with a plan9 (legacy) ssh2, the netssh proces= s does not provide any data in /net/ssh/keys. The read at /sys/src/cmd/ss= h2/ssh2.c:/^keyproc/+19, reads n=3D0 bytes when connecting to the version= of OpenSSH above. >>=20 >> I don't understand enough of the netssh keyfile infrastructure to debu= g this logistic behaviour of /net/ssh/keys. >>=20 >> A downgrade to >>=20 >> OpenSSH_6.6p1-hpn14v4, OpenSSL 1.0.1k 8 Jan 2015 >>=20 >> gives me ssh access to the gentoo system again. >>=20 >> If I find out more, I will post a followup. But maybe it would be help= full if someone with more insight into netssh tries to resolve this bug. >>=20 >> regards, >>=20 >> ingo krabbe