Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter

Discussion:

o***@gmail.com

2018-11-22 18:55:35 UTC

Hi, I have compatibility issues with the latest version of
openssh-server and an old dropbear client, the dopbear client stops at
preauth

ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version
2.0; client software version dropbear_0.46
Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46
Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
Nov 22 14:34:03 myhostname sshd[3905]: debug1: Enabling compatibility
mode for protocol 2.0
Nov 22 14:34:03 myhostname sshd[3905]: debug2: fd 3 setting O_NONBLOCK
Nov 22 14:34:03 myhostname sshd[3905]: debug2: Network child is on pid 3906
Nov 22 14:34:03 myhostname sshd[3905]: debug3: preauth child monitor started
Nov 22 14:34:03 myhostname sshd[3905]: debug3: privsep user:group
106:65534 [preauth]
Nov 22 14:34:03 myhostname sshd[3905]: debug1: permanently_set_uid:
106/65534 [preauth]
Nov 22 14:34:03 myhostname sshd[3905]: debug1: list_hostkey_types:
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth]
Nov 22 14:34:03 myhostname sshd[3905]: debug3: send packet: type 20 [preauth]
Nov 22 14:34:03 myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent [preauth]

Can you help?

Thanks

Stuart Henderson

2018-11-22 20:24:00 UTC

Permalink

Post by o***@gmail.com
Hi, I have compatibility issues with the latest version of
openssh-server and an old dropbear client, the dopbear client stops at
preauth
ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version
2.0; client software version dropbear_0.46
Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46
Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
Nov 22 14:34:03 myhostname sshd[3905]: debug1: Enabling compatibility
mode for protocol 2.0
Nov 22 14:34:03 myhostname sshd[3905]: debug2: fd 3 setting O_NONBLOCK
Nov 22 14:34:03 myhostname sshd[3905]: debug2: Network child is on pid 3906
Nov 22 14:34:03 myhostname sshd[3905]: debug3: preauth child monitor started
Nov 22 14:34:03 myhostname sshd[3905]: debug3: privsep user:group
106:65534 [preauth]
106/65534 [preauth]
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth]
Nov 22 14:34:03 myhostname sshd[3905]: debug3: send packet: type 20 [preauth]
Nov 22 14:34:03 myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Can you help?

That ~13-year-old version of dbclient only has weak key exchange methods -
diffie-hellman-group1-sha1, "OpenSSH supports this method, but does not
enable it by default because is weak and within theoretical range of the
so-called Logjam attack" and diffie-hellman-group1-dss, disabled by default
in OpenSSH in 2015.

Also only weak CBC-mode ciphers, disabled by default in 2014.

The right answer is to run a newer client.

If there's no way to do that, least worst is probably to connect to
a jump host on the LAN (locked-down as much as possible), running
modern OpenSSH sshd but with weak kex/ciphers enabled, in this
case you could use something like

KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc

This is still not recommended, but at least you could keep the weak
crypto off the internet this way.

o***@gmail.com

2018-11-23 11:23:46 UTC

Permalink

Il giorno gio 22 nov 2018 alle ore 21:24 Stuart Henderson

Post by Stuart Henderson

That ~13-year-old version of dbclient only has weak key exchange methods -
diffie-hellman-group1-sha1, "OpenSSH supports this method, but does not
enable it by default because is weak and within theoretical range of the
so-called Logjam attack" and diffie-hellman-group1-dss, disabled by default
in OpenSSH in 2015.
Also only weak CBC-mode ciphers, disabled by default in 2014.
The right answer is to run a newer client.
If there's no way to do that, least worst is probably to connect to
a jump host on the LAN (locked-down as much as possible), running
modern OpenSSH sshd but with weak kex/ciphers enabled, in this
case you could use something like
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
This is still not recommended, but at least you could keep the weak
crypto off the internet this way.

Thanks Stuart

I have tried to use the right KexAlgorithm and Ciphers, but dropbear
client fail always

myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent [preauth]

There aren't other debug messages

Only for test purpose i have add all options i can in
/etc/sshd_config, but nothing, what am I doing wrong?

Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-***@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com,chacha20-***@openssh.com
HostbasedAcceptedKeyTypes
ssh-ed25519,ssh-ed25519-cert-***@openssh.com,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-***@openssh.com,ssh-dss-cert-***@openssh.com,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-***@openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com
HostKeyAlgorithms
ssh-ed25519,ssh-ed25519-cert-***@openssh.com,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-***@openssh.com,ssh-dss-cert-***@openssh.com,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-***@openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-***@libssh.org
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha1-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-md5-***@openssh.com,hmac-md5-96-***@openssh.com,hmac-ripemd160-***@openssh.com,umac-64-***@openssh.com,umac-128-***@openssh.com
PubkeyAcceptedKeyTypes
ssh-ed25519,ssh-ed25519-cert-***@openssh.com,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-***@openssh.com,ssh-dss-cert-***@openssh.com,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-***@openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com

Stuart Henderson

2018-11-23 13:04:44 UTC

Permalink

Post by o***@gmail.com
Il giorno gio 22 nov 2018 alle ore 21:24 Stuart Henderson

Post by Stuart Henderson

That ~13-year-old version of dbclient only has weak key exchange methods -
diffie-hellman-group1-sha1, "OpenSSH supports this method, but does not
enable it by default because is weak and within theoretical range of the
so-called Logjam attack" and diffie-hellman-group1-dss, disabled by default
in OpenSSH in 2015.
Also only weak CBC-mode ciphers, disabled by default in 2014.
The right answer is to run a newer client.
If there's no way to do that, least worst is probably to connect to
a jump host on the LAN (locked-down as much as possible), running
modern OpenSSH sshd but with weak kex/ciphers enabled, in this
case you could use something like
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
This is still not recommended, but at least you could keep the weak
crypto off the internet this way.

Not sure, but I *was* able to connect from dropbear 0.46 dbclient
with just the two lines I mentioned added to sshd_config (and config
reloaded of course).

When things didn't match up I did have error messages displayed by
the client, which are likely to be more useful than server-side messages
in this case.

o***@gmail.com

2018-11-23 16:03:38 UTC

Permalink

Il giorno ven 23 nov 2018 alle ore 14:04 Stuart Henderson

Post by Stuart Henderson

Post by o***@gmail.com
Il giorno gio 22 nov 2018 alle ore 21:24 Stuart Henderson

Post by Stuart Henderson

That ~13-year-old version of dbclient only has weak key exchange methods -
diffie-hellman-group1-sha1, "OpenSSH supports this method, but does not
enable it by default because is weak and within theoretical range of the
so-called Logjam attack" and diffie-hellman-group1-dss, disabled by default
in OpenSSH in 2015.
Also only weak CBC-mode ciphers, disabled by default in 2014.
The right answer is to run a newer client.
If there's no way to do that, least worst is probably to connect to
a jump host on the LAN (locked-down as much as possible), running
modern OpenSSH sshd but with weak kex/ciphers enabled, in this
case you could use something like
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
This is still not recommended, but at least you could keep the weak
crypto off the internet this way.

Not sure, but I *was* able to connect from dropbear 0.46 dbclient
with just the two lines I mentioned added to sshd_config (and config
reloaded of course).
When things didn't match up I did have error messages displayed by
the client, which are likely to be more useful than server-side messages
in this case.

I have installed debian 8.11 with SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u7
With this SSH version,and the 2 lines,dropbear 0.46 client works

Thanks