Re: [gentoo-user] Ssh problem : half-solved

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3142 bytes --]

Hi Philip,

On Tuesday, 12 March 2019 10:02:07 GMT Philip Webb wrote:
> 190311 Neil Bothwick wrote:
> > Do you have any other Host stanzas in the config?
> 
> No :  /etc/ssh/ssh_config  has the following uncommented lines :
> 
>   # Send locale environment variables. #367017
>   SendEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC
> LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME
> LC_PAPER LC_TELEPHONE # Send COLORTERM to match TERM. #658540
>   SendEnv COLORTERM
>   # PP 190312
>   Host 128.100.160.1
>     KexAlgorithms +diffie-hellman-group1-sha1
>   # Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
> 
> I tried adding the 'Ciphers' line, which is mentioned in the I/net page,
> but Ssh chokes, so I commented it again :

The ciphers do not come into play until the key exchange algos have been 
agreed upon.  In your case the handshake does not reach this far and therefore 
you do not need (yet) to specify any additional ciphers.  The server problem 
is still with the KexAlgorithms.

>  ~/.ssh/config  has :
> 
>   Host 128.100.160.1
>     KexAlgorithms +diffie-hellman-group1-sha1
> 
> The latest output ('538' above) shows that it reads  ~/.ssh/config ,
> but apparently doesn't find what it wants there
> & therefore goes on to  /etc/ssh/ssh_config , on which it chokes.
> Without the 'Cipher' line in the latter, it carries on with the handshake,
> but eventually can't do the key exchange.
> 
> I've just looked at the USE flags :
> 
>   root:528 ssh> eix net-misc/openssh
>      Available versions:  7.5_p1-r4 7.7_p1-r9^t 7.9_p1-r4^t {X X509 audit
> bindist debug (+)hpn kerberos ldap ldns libedit libressl livecd pam +pie
> sctp selinux skey ssh1 +ssl static test ABI_MIPS="n32" KERNEL="linux"}
> Installed versions:  7.9_p1-r4^t([2019-03-09 22:25:11])(X ssl -X509 -audit
> -bindist -debug -hpn -kerberos -ldns -libedit -libressl -livecd -pam -pie
> -sctp -selinux -static -test ABI_MIPS="-n32" KERNEL="linux")
> 
> NB Eix shows a Use flag 'ssh1', which Euses describes as :
> 
>   net-misc/openssh:ssh1 - Support the legacy/weak SSH1 protocol

If you watch The Matrix, a 20 year old film, you will see why ssh version 1 
should be disabled by default, or the machine on which it is enabled isolated 
from the Internet.


> Can anyone offer further advice ? -- Thanks so far.

I suggest you remove all settings for Host 128.100.160.1 from the /etc/ssh/
ssh_config file and place them in your ~/.ssh/config file only.  Then run ssh:

ssh -v 128.100.160.1

and check for a line like this:

debug1: Reading configuration data /home/purslow/.ssh/config
debug1: /home/purslow/.ssh/config line xx: Applying options for 128.100.160.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 128.100.160.1 ... blah-blah

This will show you if ~/.ssh/config is being sourced, if the lines you have 
specified for Host 128.100.160.1 therein are being parsed by ssh and if the 
connection is attempted.

The line which should come next is:

debug1: Connection established.

which will be followed with algos and ciphers exchange.

HTH.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]