From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 97AEF138334 for ; Tue, 12 Mar 2019 10:49:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C0667E09A8; Tue, 12 Mar 2019 10:49:44 +0000 (UTC) Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2ACDDE0993 for ; Tue, 12 Mar 2019 10:49:43 +0000 (UTC) Received: by mail-wr1-x42d.google.com with SMTP id y15so2141855wro.4 for ; Tue, 12 Mar 2019 03:49:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:reply-to:subject:date:message-id:in-reply-to:references :mime-version; bh=WTZySx8o12SRFogOm1U38UAiVUoGNRi6S8R9YdVgc8Y=; b=ShDQBKArpHIi2SrkqxRSJ+ou4NYolXMttXTqh88pvk5oWY10gYWFF7fhu48TpWC06u +WM5/xMJ53lnFnBlpoPlbeYkliiGopPmAE6xG5HqFc6ziK4Y3pw0xesV2f4TjRAHqjh2 M5TYNxuV71dT+Qa79wMose6gutlVsIYxNVq2/bmqI6hyVhOlxbmd+WYopPTlcdQ8IhyJ vlOie8/H+9M3mX4H95hWWUTGuJa3xfRAZ1LCcLCefaM6WILVehmNdkA65UkQzUoCl7nQ BECURozzoV/5XkQjIdhVgq2UE8+aCDjEGMjffob3Rj4sFxVevgIzrGsIXVEMoV3XS9Eh 0UEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:reply-to:subject:date:message-id :in-reply-to:references:mime-version; bh=WTZySx8o12SRFogOm1U38UAiVUoGNRi6S8R9YdVgc8Y=; b=mr2Wfgq7a33pOWgNf+1Bf64Ul+i8+NbzffmkLnrAPoWJxX7Bm1VX4n1UTAgllT7xyT 0K7c0iWKqTscdhgbZW8zAoTEOfo1/RjVk9RS9pi2fucZ89XAr7L2LGUS4+YZlLWClLUv 9hUyhDB2bSfgXAxEZDABZYfavZJbBWPi/4dEdW7uIFoNS4T8PIO0U2ixUtEkkwUThCFy VSpO4zjNz31DUSsx0FpLXpVkYhw4sTAV21Xzhy1JAnd/MV6dpSIeB5p5lL3t4l8kLb/W bqKhqKVDoC9ErXcTYCw4dPXQpu0aVNcIIbiS1HGNJcW0c0qzBetczO2JAHQEu4X12ibm Yitw== X-Gm-Message-State: APjAAAXJ4NYpe0tDwBu9zOI9a10qBlZozGctNpGb/pbk3Ztgd7btHZaT 6sJbQsR36X6Hu6zftYicGyU/2rPx X-Google-Smtp-Source: APXvYqxh6yszC14DE7Sbetgr7mD7iTFtSw398nXgQM6dbQKSdT9voTma3sliRHQen1e5ESpdd2nebg== X-Received: by 2002:adf:9361:: with SMTP id 88mr24085208wro.152.1552387782280; Tue, 12 Mar 2019 03:49:42 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id i10sm16941876wrx.54.2019.03.12.03.49.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Mar 2019 03:49:41 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Ssh problem : half-solved Date: Tue, 12 Mar 2019 10:49:23 +0000 Message-ID: <1957877.GUPDyC2qnI@dell_xps> In-Reply-To: <20190312100207.GO1934@ca.inter.net> References: <20190310072554.GD1945@ca.inter.net> <20190311221457.7c345226@digimed.co.uk> <20190312100207.GO1934@ca.inter.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5232082.JjfcnAPlDA"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 13b47216-ca2e-424f-b945-df480ca683ad X-Archives-Hash: fccc21372430d3b256a64cb84963e976 --nextPart5232082.JjfcnAPlDA Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8" Hi Philip, On Tuesday, 12 March 2019 10:02:07 GMT Philip Webb wrote: > 190311 Neil Bothwick wrote: > > Do you have any other Host stanzas in the config? > > No : /etc/ssh/ssh_config has the following uncommented lines : > > # Send locale environment variables. #367017 > SendEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC > LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME > LC_PAPER LC_TELEPHONE # Send COLORTERM to match TERM. #658540 > SendEnv COLORTERM > # PP 190312 > Host 128.100.160.1 > KexAlgorithms +diffie-hellman-group1-sha1 > # Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr > > I tried adding the 'Ciphers' line, which is mentioned in the I/net page, > but Ssh chokes, so I commented it again : The ciphers do not come into play until the key exchange algos have been agreed upon. In your case the handshake does not reach this far and therefore you do not need (yet) to specify any additional ciphers. The server problem is still with the KexAlgorithms. > ~/.ssh/config has : > > Host 128.100.160.1 > KexAlgorithms +diffie-hellman-group1-sha1 > > The latest output ('538' above) shows that it reads ~/.ssh/config , > but apparently doesn't find what it wants there > & therefore goes on to /etc/ssh/ssh_config , on which it chokes. > Without the 'Cipher' line in the latter, it carries on with the handshake, > but eventually can't do the key exchange. > > I've just looked at the USE flags : > > root:528 ssh> eix net-misc/openssh > Available versions: 7.5_p1-r4 7.7_p1-r9^t 7.9_p1-r4^t {X X509 audit > bindist debug (+)hpn kerberos ldap ldns libedit libressl livecd pam +pie > sctp selinux skey ssh1 +ssl static test ABI_MIPS="n32" KERNEL="linux"} > Installed versions: 7.9_p1-r4^t([2019-03-09 22:25:11])(X ssl -X509 -audit > -bindist -debug -hpn -kerberos -ldns -libedit -libressl -livecd -pam -pie > -sctp -selinux -static -test ABI_MIPS="-n32" KERNEL="linux") > > NB Eix shows a Use flag 'ssh1', which Euses describes as : > > net-misc/openssh:ssh1 - Support the legacy/weak SSH1 protocol If you watch The Matrix, a 20 year old film, you will see why ssh version 1 should be disabled by default, or the machine on which it is enabled isolated from the Internet. > Can anyone offer further advice ? -- Thanks so far. I suggest you remove all settings for Host 128.100.160.1 from the /etc/ssh/ ssh_config file and place them in your ~/.ssh/config file only. Then run ssh: ssh -v 128.100.160.1 and check for a line like this: debug1: Reading configuration data /home/purslow/.ssh/config debug1: /home/purslow/.ssh/config line xx: Applying options for 128.100.160.1 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to 128.100.160.1 ... blah-blah This will show you if ~/.ssh/config is being sourced, if the lines you have specified for Host 128.100.160.1 therein are being parsed by ssh and if the connection is attempted. The line which should come next is: debug1: Connection established. which will be followed with algos and ciphers exchange. HTH. -- Regards, Mick --nextPart5232082.JjfcnAPlDA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEt7MNaGaS6HvTUrEz6WnU8jC95dcFAlyHjrMACgkQ6WnU8jC9 5dewCxAAuYiwuFGl1tQ6+aianWl3+VS6fa7h695kEMuE9BfNd4fZylmfTXnZEc5x n/JesTcXN64ZjjH45NompNnBS8A0qR/jmSsavVKCe8EmI5iMxCHpuFH3z7Piqbak y0f4xwXGherx/np5sR94v2IrHIAZuYia3arFvlwtAcy3X3jh+bryULwvx1XpZNcB wdAyHbaLUHjF8QhEVUqMGl1AbR0YK/AU9wEVd7hiXTpqZkZglYM9Fu2c06tCdNn/ CegR802aqE35pvUYx+v7mPS5Nbo5nv/WoKR56lFCfh9z9m360O3h6umbcdj9dAvY jI4ryRdjvgxsKW0IxSLQm6uCXuD1Wo3dTF50W+iSYfa4zCWnwAqFjoMdDIZl8wqO M+UJJ6dEKV0vu9XZWQ97dAs0bAzXFCtrzxAo61hVebtzsFi+ptpH+aQhvBMARJ/1 LFLk9NePglOk6gjer1T+28UvPW1nZavuD4YourBk+1k6GYk4HBxE/1ySKGyLXr+y yf4mDEAIDK+4BXkoTjKYf97fF/R7iS92L6trexfOrQ+txWMwspo79mIrrYMGjWqh T9q3A7wF6AyTcIomk9B6tML62ir19Ng8GoqftQ8LK+g8PDQ6xoWm80xxUbsuZkik Gcc94nC3ROh0viKzYqpealEzlIzOj87DfuHN/0CdXxAM2G87aLM= =PVTy -----END PGP SIGNATURE----- --nextPart5232082.JjfcnAPlDA--