Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jaredh]

This is a SLES 12 SP4 server running OpenSSH_7.2p2, OpenSSL 1.0.2p-fips  14 Aug 2018

Initially, it would not do anything except close.  That led me to the KexAlgorithim changes listed in the forum here.  Changing those and restarting gets sshd to talk to the client and offer up a password prompt.

Once user/passwd are entered, it goes through as expected doing PAM auth but the window simply goes away when the sshd server starts to initialize the TTY.  Here is an example logfile:

Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: Client protocol version 2.0; client software version PuTTY-Local: Apr  4 2011 16:23:55
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: no match: PuTTY-Local: Apr  4 2011 16:23:55
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: Enabling compatibility mode for protocol 2.0
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: Local version string SSH-2.0-OpenSSH_7.2
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: permanently_set_uid: 71/65 [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: kex: algorithm: diffie-hellman-group1-sha1 [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: kex: host key algorithm: ssh-rsa [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: kex: client->server cipher: aes256-cbc MAC: hmac-sha1 compression: none [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: kex: server->client cipher: aes256-cbc MAC: hmac-sha1 compression: none [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: kex: diffie-hellman-group1-sha1 need=32 dh_need=32 [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: kex: diffie-hellman-group1-sha1 need=32 dh_need=32 [preauth]
Feb 19 11:07:18 uatappx2 sshd[39680]: debug1: expecting SSH2_MSG_KEXDH_INIT [preauth]
Feb 19 11:07:19 uatappx2 sshd[39680]: debug1: rekey after 4294967296 blocks [preauth]
Feb 19 11:07:19 uatappx2 sshd[39680]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 19 11:07:19 uatappx2 sshd[39680]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 19 11:07:19 uatappx2 sshd[39680]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 19 11:07:19 uatappx2 sshd[39680]: debug1: rekey after 4294967296 blocks [preauth]
Feb 19 11:07:19 uatappx2 sshd[39680]: debug1: KEX done [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: userauth-request for user lsmith service ssh-connection method none [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: attempt 0 failures 0 [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: PAM: initializing for "lsmith"
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: PAM: setting PAM_RHOST to "192.168.33.18"
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: userauth-request for user lsmith service ssh-connection method keyboard-interactive [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: attempt 1 failures 0 [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: keyboard-interactive devs  [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: auth2_challenge: user=lsmith devs= [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: Postponed keyboard-interactive for lsmith from 192.168.33.18 port 51352 ssh2 [preauth]
Feb 19 11:07:24 uatappx2 sshd[39683]: debug1: do_pam_account: called
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: PAM: num PAM env strings 0
Feb 19 11:07:24 uatappx2 sshd[39680]: Postponed keyboard-interactive/pam for lsmith from 192.168.33.18 port 51352 ssh2 [preauth]
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: do_pam_account: called
Feb 19 11:07:24 uatappx2 sshd[39680]: Accepted keyboard-interactive/pam for lsmith from 192.168.33.18 port 51352 ssh2
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: monitor_child_preauth: lsmith has been authenticated by privileged process
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: monitor_read_log: child log fd closed
Feb 19 11:07:24 uatappx2 sshd[39680]: debug1: PAM: establishing credentials
Feb 19 11:07:24 uatappx2 systemd[1]: Created slice User Slice of lsmith.
Feb 19 11:07:24 uatappx2 systemd[1]: Starting User Manager for UID 2017...
Feb 19 11:07:24 uatappx2 systemd-logind[1498]: New session 227 of user lsmith.
Feb 19 11:07:24 uatappx2 systemd[1]: Started Session 227 of user lsmith.
Feb 19 11:07:24 uatappx2 systemd[39684]: Reached target Paths.
Feb 19 11:07:24 uatappx2 systemd[39684]: Reached target Sockets.
Feb 19 11:07:24 uatappx2 systemd[39684]: Reached target Timers.
Feb 19 11:07:24 uatappx2 systemd[39684]: Reached target Basic System.
Feb 19 11:07:24 uatappx2 systemd[39684]: Reached target Default.
Feb 19 11:07:24 uatappx2 systemd[39684]: Startup finished in 27ms.
Feb 19 11:07:24 uatappx2 systemd[1]: Started User Manager for UID 2017.
Feb 19 11:07:24 uatappx2 sshd[39680]: User child is on pid 39688
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: SELinux support disabled
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: PAM: establishing credentials
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: permanently_set_uid: 2017/100
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: rekey after 4294967296 blocks
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: rekey after 4294967296 blocks
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: ssh_packet_set_postauth: called
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: Entering interactive session for SSH2.
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: server_init_dispatch_20
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: input_session_request
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: channel 0: new [server-session]
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: session_new: session 0
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: session_open: channel 0
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: session_open: session 0: link with channel 0
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: server_input_channel_open: confirm session
Feb 19 11:07:24 uatappx2 sshd[39688]: Connection closed by 192.168.33.18
Feb 19 11:07:24 uatappx2 sshd[39688]: debug1: channel 0: free: server-session, nchannels 1

These connections worked on this server before doing an in-place upgrade to the new version, so the issue is definitely with the config of the sshd server vs what dejawin/putty is negotiating.

I have several other terminal software packages that do connect correctly.

Any thoughts?

[jaredh]

I know what the issue is:

From the 6.9 OpenSSH patch notes:

 * ssh(1), sshd(: deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD
   message and do not try to use it against some 3rd-party SSH
   implementations that use it (older PuTTY, WinSCP).

Dejawin is using a PuTTY version that sends this message to the host.  Here is a log from a server that works:

Feb 19 14:58:13 uatinf2 sshd[5808]: Connection from 192.168.33.18 port 54527 on 192.168.7.15 port 22
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: Client protocol version 2.0; client software version PuTTY-Local: Apr  4 2011 16:23:55
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: no match: PuTTY-Local: Apr  4 2011 16:23:55
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: Enabling compatibility mode for protocol 2.0
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: permanently_set_uid: 71/65 [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: kex: client->server aes256-cbc hmac-sha1 none [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: kex: server->client aes256-cbc hmac-sha1 none [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 19 14:58:13 uatinf2 sshd[5808]: debug1: KEX done [preauth]
Feb 19 14:58:18 uatinf2 sshd[5808]: debug1: userauth-request for user jheath service ssh-connection method none [preauth]
Feb 19 14:58:18 uatinf2 sshd[5808]: debug1: attempt 0 failures 0 [preauth]

I suspect they are ignoring this message from the client and the negotiation is busted at that point but the connection doesn't die until it tries to tie to a TTY.

[jaredh]

See this link:

https://www.ssh.com/ssh/putty/putty-manuals/0.68/Chapter4.html

Section 4.27.13 ‘ONLY SUPPORTS PRE-RFC4419 SSH-2 DH GEX’

[Bob]

Thanks.
This is what I use in my sshd_config file on Debian Linux:

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr