Results 1 to 3 of 3

Thread: Cannot login via SSH after last upgrade

  1. #1

    Default Cannot login via SSH after last upgrade

    Hi,

    a few days ago I installed a huge bunch of updates for Tumbleweed and I think there was also an update for OpenSSH among the packages. After the update I cannot login via ssh from most machines (linux clients and windows clients using Putty for example). The only host that works is my Gentoo Box. I did some debug traces.

    Linux client (SLES 11 SP3) that cannot login:

    Code:
    OpenSSH_6.2p2, OpenSSL 0.9.8j-fips 07 Jan 2009
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 20: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to 10.1.11.34 [10.1.11.34] port 1234.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.2
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
    debug1: match: OpenSSH_6.6.1 pat OpenSSH*
    debug2: fd 3 setting O_NONBLOCK
    debug3: put_host_port: [10.1.11.34]:1234
    debug3: load_hostkeys: loading entries for host "[10.1.11.34]:1234" from file "/root/.ssh/known_hosts"
    debug3: load_hostkeys: loaded 0 keys
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_setup: found hmac-md5-etm@openssh.com
    debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
    debug2: mac_setup: found hmac-md5-etm@openssh.com
    debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
    debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    Read from socket failed: Connection reset by peer
    Heres the trace from the Tumbleweed server with debug output (I started the server with: /usr/sbin/sshd -p 1234 -ddd)

    Code:
    debug2: load_server_config: filename /etc/ssh/sshd_config
    debug2: load_server_config: done config len = 489
    debug2: parse_server_config: config /etc/ssh/sshd_config len 489
    debug3: /etc/ssh/sshd_config:56 setting AuthorizedKeysFile .ssh/authorized_keys
    debug3: /etc/ssh/sshd_config:74 setting PasswordAuthentication yes
    debug3: /etc/ssh/sshd_config:108 setting UsePAM yes
    debug3: /etc/ssh/sshd_config:113 setting X11Forwarding yes
    debug3: /etc/ssh/sshd_config:121 setting UsePrivilegeSeparation sandbox
    debug3: /etc/ssh/sshd_config:137 setting Subsystem sftp /usr/lib/ssh/sftp-server
    debug3: /etc/ssh/sshd_config:140 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    debug3: /etc/ssh/sshd_config:141 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    debug3: /etc/ssh/sshd_config:142 setting AcceptEnv LC_IDENTIFICATION LC_ALL
    debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.2g-fips  1 Mar 2016
    debug3: Incorrect RSA1 identifier
    debug1: key_parse_private2: missing begin marker
    debug1: read PEM private key done: type RSA
    debug3: Incorrect RSA1 identifier
    debug3: Could not load "/etc/ssh/ssh_host_rsa_key" as a RSA1 public key
    debug1: private host key: #0 type 1 RSA
    debug3: Incorrect RSA1 identifier
    debug1: key_parse_private2: missing begin marker
    debug1: read PEM private key done: type DSA
    debug3: Incorrect RSA1 identifier
    debug3: Could not load "/etc/ssh/ssh_host_dsa_key" as a RSA1 public key
    debug1: private host key: #1 type 2 DSA
    debug3: Incorrect RSA1 identifier
    debug1: key_parse_private2: missing begin marker
    debug1: read PEM private key done: type ECDSA
    debug3: Incorrect RSA1 identifier
    debug3: Could not load "/etc/ssh/ssh_host_ecdsa_key" as a RSA1 public key
    debug1: private host key: #2 type 3 ECDSA
    debug3: Incorrect RSA1 identifier
    debug3: Incorrect RSA1 identifier
    debug3: Could not load "/etc/ssh/ssh_host_ed25519_key" as a RSA1 public key
    debug1: private host key: #3 type 4 ED25519
    debug1: rexec_argv[0]='/usr/sbin/sshd'
    debug1: rexec_argv[1]='-p'
    debug1: rexec_argv[2]='1234'
    debug1: rexec_argv[3]='-ddd'
    debug3: oom_adjust_setup
    Set /proc/self/oom_score_adj from 0 to -1000
    debug2: fd 3 setting O_NONBLOCK
    debug1: Bind to port 1234 on 0.0.0.0.
    Server listening on 0.0.0.0 port 1234.
    debug2: fd 4 setting O_NONBLOCK
    debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
    debug1: Bind to port 1234 on ::.
    Server listening on :: port 1234.
    debug3: fd 5 is not O_NONBLOCK
    debug1: Server will not fork when running in debugging mode.
    debug3: send_rexec_state: entering fd = 8 config len 489
    debug3: ssh_msg_send: type 0
    debug3: send_rexec_state: done
    debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
    debug1: inetd sockets after dupping: 3, 3
    Connection from 10.1.11.19 port 43260 on 10.1.11.34 port 1234
    debug1: Client protocol version 2.0; client software version OpenSSH_6.2
    debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.6.1
    debug2: fd 3 setting O_NONBLOCK
    debug3: ssh_sandbox_init: preparing seccomp filter sandbox
    debug2: Network child is on pid 4071
    debug3: preauth child monitor started
    debug3: privsep user:group 498:498 [preauth]
    debug1: permanently_set_uid: 498/498 [preauth]
    debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
    debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
    debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
    debug1: SSH2_MSG_KEXINIT sent [preauth]
    debug1: SSH2_MSG_KEXINIT received [preauth]
    debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hel [preauth]
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbel-cbc@lysator.liu.se [preauth]
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbel-cbc@lysator.liu.se [preauth]
    debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
    debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
    debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
    debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
    debug2: kex_parse_kexinit:  [preauth]
    debug2: kex_parse_kexinit:  [preauth]
    debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
    debug2: kex_parse_kexinit: reserved 0  [preauth]
    debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
    debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v0h-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator]
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator]
    debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
    debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
    debug2: kex_parse_kexinit:  [preauth]
    debug2: kex_parse_kexinit:  [preauth]
    debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
    debug2: kex_parse_kexinit: reserved 0  [preauth]
    debug2: mac_setup: setup hmac-md5-etm@openssh.com [preauth]
    debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none [preauth]
    debug3: mm_request_send entering: type 118 [preauth]
    debug3: mm_request_receive_expect entering: type 119 [preauth]
    debug3: mm_request_receive entering [preauth]
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 118
    debug3: mm_request_send entering: type 119
    debug2: mac_setup: setup hmac-md5-etm@openssh.com [preauth]
    debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none [preauth]
    debug3: mm_request_send entering: type 118 [preauth]
    debug3: mm_request_receive_expect entering: type 119 [preauth]
    debug3: mm_request_receive entering [preauth]
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 118
    debug3: mm_request_send entering: type 119
    debug1: monitor_read_log: child log fd closed
    debug3: mm_request_receive entering
    debug1: do_cleanup
    debug3: PAM: sshpam_thread_cleanup entering
    debug1: Killing privsep child 4071

    The problem seems to be the key exchange but I don't really see what the problem is.

    Best regards

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,874
    Blog Entries
    3

    Default Re: Cannot login via SSH after last upgrade

    This appears to have been reported as bug 977812. The bug report suggests a workaround.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3

    Default Re: Cannot login via SSH after last upgrade

    Thanks. The workaround in the bug report did the trick!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •