Debian Bug report logs - #343896
no longer works with HP iLO

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Wichert Akkerman <wichert@wiggy.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: no longer works with HP iLO

Date: Sun, 18 Dec 2005 17:28:40 +0100

Package: ssh
Version: 1:4.2p1-5
Severity: important

Something changed very recently which broke ssh when dealing with HP iLO
interfaces. This is problematic since iLO is used to manage a fair
number of debian.org servers. This is the debugging output:

[typhoon;/local/instance]-24> ssh -v wagner-ilo
OpenSSH_4.2p1 Debian-5, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /home/wichert/.ssh/config
debug1: Applying options for wagner-ilo
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 217.196.43.133 [217.196.43.133] port 22.
debug1: Connection established.
debug1: identity file /home/wichert/.ssh/identity type -1
debug1: identity file /home/wichert/.ssh/id_rsa type -1
debug1: identity file /home/wichert/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1
debug1: no match: mpSSH_0.0.1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2p1 Debian-5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host '217.196.43.133' is known and matches the RSA host key.
debug1: Found key in /home/wichert/.ssh/known_hosts:296
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/wichert/.ssh/id_dsa
debug1: Authentications that can continue: password,publickey
debug1: Trying private key: /home/wichert/.ssh/identity
debug1: Trying private key: /home/wichert/.ssh/id_rsa
debug1: Next authentication method: password
wichert@217.196.43.133's password: 
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_COLLATE = C
debug1: Sending env LC_CTYPE = en_GB.UTF-8
dispatch_protocol_error: type 100 seq 8
dispatch_protocol_error: type 100 seq 9
buffer_get_ret: trying to get more bytes 4 than in buffer 0
buffer_get_int: buffer error
zsh: exit 255   ssh -v wagner-ilo


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc5
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages ssh depends on:
ii  openssh-client                1:4.2p1-5  Secure shell client, an rlogin/rsh
ii  openssh-server                1:4.2p1-5  Secure shell server, an rshd repla

ssh recommends no packages.

-- debconf information:
* ssh/privsep_tell:
  ssh/insecure_rshd:
  ssh/privsep_ask: true
  ssh/ssh2_keys_merged:
* ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
  ssh/disable_cr_auth: false

Message #10 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Wichert Akkerman <wichert@wiggy.net>

Cc: 343896@bugs.debian.org

Subject: Re: Bug#343896: no longer works with HP iLO

Date: Sun, 18 Dec 2005 20:48:35 +0100

* Wichert Akkerman:

> debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1
> debug1: no match: mpSSH_0.0.1

Find out what (Open)SSH version this actually is, we can then add a
regexp to set the proper compatibility flags.

Message #15 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Wichert Akkerman <wichert@wiggy.net>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 343896@bugs.debian.org

Subject: Re: Bug#343896: no longer works with HP iLO

Date: Sun, 18 Dec 2005 20:51:56 +0100

Previously Florian Weimer wrote:
> * Wichert Akkerman:
> > debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1
> > debug1: no match: mpSSH_0.0.1
> 
> Find out what (Open)SSH version this actually is, we can then add a
> regexp to set the proper compatibility flags.

It's all in HP iLO firmware, I doubt we can figure that out.

Wichert.

-- 
Wichert Akkerman <wichert@wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.

Message #20 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Wichert Akkerman <wichert@wiggy.net>

Cc: 343896@bugs.debian.org

Subject: Re: Bug#343896: no longer works with HP iLO

Date: Sun, 18 Dec 2005 21:00:00 +0100

* Wichert Akkerman:

> Previously Florian Weimer wrote:
>> * Wichert Akkerman:
>> > debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1
>> > debug1: no match: mpSSH_0.0.1
>> 
>> Find out what (Open)SSH version this actually is, we can then add a
>> regexp to set the proper compatibility flags.
>
> It's all in HP iLO firmware, I doubt we can figure that out.

But HP can, so we just need someone with proper contacts.  If this
problem affects upstream as well, I'm sure they are quite eager to
help. 8-/

Message #25 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>, 343896@bugs.debian.org

Cc: Wichert Akkerman <wichert@wiggy.net>

Subject: Re: Bug#343896: no longer works with HP iLO

Date: Sun, 18 Dec 2005 21:18:04 +0000

On Sun, Dec 18, 2005 at 08:48:35PM +0100, Florian Weimer wrote:
> * Wichert Akkerman:
> > debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1
> > debug1: no match: mpSSH_0.0.1
> 
> Find out what (Open)SSH version this actually is, we can then add a
> regexp to set the proper compatibility flags.

I suspect that this will not be enough, although it would certainly be
useful on general principles.

The message on which we're getting dispatch_protocol_error is
SSH2_MSG_CHANNEL_FAILURE. We've discovered that disabling SendEnv is a
workaround. My initial reaction was that this meant that the OpenSSH
client is not prepared for the possibility of a server that does not
support the "env" channel request. However, on further investigation I
discovered that OpenSSH sets the "want reply" flag in that channel
request to false; mpSSH appears not to be honouring that flag the way
that http://www.ietf.org/internet-drafts/draft-ietf-secsh-connect-25.txt
(expired draft though it is) says it should. I don't see any
bug-compatibility handling for this case in OpenSSH at the moment.

For further head-scratching value, when I deliberately break an OpenSSH
server so that it doesn't understand the "env" channel request and fails
to honour the "want reply" flag, the client emits the
dispatch_protocol_error messages noted by Wichert but manages to connect
anyway; so something more is going on here.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #30 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Wichert Akkerman <wichert@wiggy.net>

To: Colin Watson <cjwatson@debian.org>

Cc: Florian Weimer <fw@deneb.enyo.de>, 343896@bugs.debian.org

Subject: Re: Bug#343896: no longer works with HP iLO

Date: Sun, 18 Dec 2005 22:21:56 +0100

On request from Colin here is the -vvv output:

wichert@217.196.43.133's password: 
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 0
debug3: tty_make_modes: ospeed 38400
debug3: tty_make_modes: ispeed 38400
debug3: tty_make_modes: 1 3
debug3: tty_make_modes: 2 28
debug3: tty_make_modes: 3 127
debug3: tty_make_modes: 4 21
debug3: tty_make_modes: 5 4
debug3: tty_make_modes: 6 0
debug3: tty_make_modes: 7 0
debug3: tty_make_modes: 8 17
debug3: tty_make_modes: 9 19
debug3: tty_make_modes: 10 26
debug3: tty_make_modes: 12 18
debug3: tty_make_modes: 13 23
debug3: tty_make_modes: 14 22
debug3: tty_make_modes: 18 15
debug3: tty_make_modes: 30 0
debug3: tty_make_modes: 31 0
debug3: tty_make_modes: 32 0
debug3: tty_make_modes: 33 0
debug3: tty_make_modes: 34 0
debug3: tty_make_modes: 35 0
debug3: tty_make_modes: 36 1
debug3: tty_make_modes: 37 0
debug3: tty_make_modes: 38 1
debug3: tty_make_modes: 39 0
debug3: tty_make_modes: 40 0
debug3: tty_make_modes: 41 0
debug3: tty_make_modes: 50 1
debug3: tty_make_modes: 51 1
debug3: tty_make_modes: 52 0
debug3: tty_make_modes: 53 1
debug3: tty_make_modes: 54 1
debug3: tty_make_modes: 55 1
debug3: tty_make_modes: 56 0
debug3: tty_make_modes: 57 0
debug3: tty_make_modes: 58 0
debug3: tty_make_modes: 59 1
debug3: tty_make_modes: 60 1
debug3: tty_make_modes: 61 1
debug3: tty_make_modes: 62 0
debug3: tty_make_modes: 70 1
debug3: tty_make_modes: 71 0
debug3: tty_make_modes: 72 1
debug3: tty_make_modes: 73 0
debug3: tty_make_modes: 74 0
debug3: tty_make_modes: 75 0
debug3: tty_make_modes: 90 1
debug3: tty_make_modes: 91 1
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug1: Sending environment.
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env SHELL
debug3: Ignored env USER
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env _
debug3: Ignored env GDM_XSERVER_LOCATION
debug1: Sending env LC_COLLATE = C
debug2: channel 0: request env confirm 0
debug3: Ignored env PWD
debug3: Ignored env GDMSESSION
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug1: Sending env LC_CTYPE = en_GB.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env DISPLAY
debug3: Ignored env XAUTHORITY
debug3: Ignored env TERM
debug3: Ignored env WINDOWID
debug3: Ignored env XTERM_VERSION
debug3: Ignored env XTERM_SHELL
debug3: Ignored env OLDPWD
debug3: Ignored env MANOPT
debug3: Ignored env EDITOR
debug3: Ignored env VISUAL
debug3: Ignored env CVS_RSH
debug3: Ignored env RSYNC_RSH
debug3: Ignored env JAVA_HOME
debug3: Ignored env IRCNICK
debug3: Ignored env IRCNAME
debug3: Ignored env IRCUMODE
debug2: channel 0: request shell confirm 0
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 65536 rmax 2048
dispatch_protocol_error: type 100 seq 8
dispatch_protocol_error: type 100 seq 9
buffer_get_ret: trying to get more bytes 4 than in buffer 0
buffer_get_int: buffer error

-- 
Wichert Akkerman <wichert@wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.

Message #35 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 343896@bugs.debian.org

Subject: workaround

Date: Mon, 10 Apr 2006 18:08:08 -0600

Here's a workaround for #343896:

------- Forwarded Message

From: DELETED
Dave
Sent: Thu 1/26/2006 7:51 AM
To: BALETED
Subject: RE: ssh error dispatch_protocol_error: type 100 seq 8  when
accessing iLO

We had a similar issue and oddly enough changing our ssh config file to
turn ForwardAgent off fixed it:

1) grep ForwardAgent ~/.ssh/iLO-config
ForwardAgent no

- -----Original Message-----
Subject: ssh error dispatch_protocol_error: type 100 seq 8 when
accessing iLO

Hello,

I've been having this error message for a while when trying to access
some iLO I/F using ssh from Debian (or Ubuntu) :

$ ssh Administrator@{iLO Address}
Administrator@{iLO Address}'s password:
dispatch_protocol_error: type 100 seq 8
buffer_get_ret: trying to get more bytes 4 than in buffer 0
buffer_get_int: buffer error

I tried to google the msg and found that the guys @Debian are having the
same problem

Bug#343896: no longer works with HP iLO :
http://lists.debian.org/debian-ssh/2005/12/msg00025.html

I don't get that problem when trying it from RHEL3 or AS2.1 (don't have
a RHEL4 handy to test). Anyone have an idea on a fix ? Should I wave at
the Debian guys on the list and offer to work on this ?

------- End of Forwarded Message

I don't know if/when it is/will be fixed in the iLO firmware. If you are 
reading this and running the latest firmare for the iLO in your system, 
please report the following,

1) your hardware model
2) your iLO firmware version
3) the version of ssh you are using
4) if you are seeing the problem or not

Hopefully we can determine when it is fixed and can tell people what they 
need to do to fix it on their systems.

Thanks,

-- 
Matt Taggart
taggart@debian.org

Message #40 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Guillaume Tamboise <guillaume@patoche.org>

To: 343896@bugs.debian.org

Subject: Bug #343896: no longer works with HP iLO

Date: Wed, 25 Oct 2006 10:52:48 -0500

It seems that the HP iLO does not like two things:
- attempts to set remote environment variables
- forward agent

So: if SendEnv is commented out in /etc/ssh/ssh_config, and ForwardAgent
set to "no", then ssh to an iLO port works just fine.

Unfortunately, I have not found any way to "unset" SendEnv on a per host
basis. Perhaps the Debian default of setting SendEnv in
/etc/ssh/ssh_config should be revisited?

From the man page:

SendEnv
[...]
Note that environment passing is only supported for protocol 2, the
server must also support it, and the server must be configured to accept
these environment variables.



Regards,

Guillaume Tamboise

Message #45 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Siim Põder <windo@p6drad-teel.net>

To: 343896@bugs.debian.org

Subject: same problem

Date: Thu, 01 Feb 2007 17:05:54 +0200

Yo!

ILO Firmware:
    version=A05
    date=03/01/2006

The problem occured like before, when I started agent forwarding to the
host connects failed from.

Another workaround seems to be adding -o "PreferredAuthentication
password" to the command line/host config.

Message #50 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 343896@bugs.debian.org

Subject: ilo ssh bug fixed

Date: Mon, 16 Apr 2007 18:23:22 -0700

The bug in HP's integrated Lights Out 2 (iLO2) that was causing problems when 
connecting with openssh has been fixed in the iLO2 firmware.

It was fixed in iLO2 firmware version 1.24 released on 27 Oct 2006.

As of 16 Apr 2007 (when I'm writing this) the latest version of iLO2
  firmware is 1.29, released on 20 Mar 2007. Here is the URL

http://h18023.www1.hp.com/support/files/server/us/download/26771.html

and the changelog

http://h18023.www1.hp.com/support/files/server/us/revision/9270.html

The latest "Firmware Update CD" (version 7.70, 1 Feb 2007) contains version 
1.26 of the iLO2 firmware, which is new enough to fix the openssh problem, but 
not the latest version. Here's the URL

http://h18023.www1.hp.com/support/files/server/us/download/26620.html

and the changelog

http://h18023.www1.hp.com/support/files/server/us/revision/9014.html

The Firmware Update CD is a pretty convienent way to upgrade all the firmwares 
on the system at once (but requires console access). I expect future versions 
of the Firmware Update CD will probably include the latest iLO2 update, but 
depending on your equipment and usage, maybe this version that fixes the 
openssh bug is enough and convienent.

-- 
Matt Taggart
taggart@debian.org

Message #55 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Matt Taggart <taggart@debian.org>, 343896@bugs.debian.org

Subject: Re: Bug#343896: ilo ssh bug fixed

Date: Tue, 17 Jul 2007 13:54:34 +0100

On Mon, Apr 16, 2007 at 06:23:22PM -0700, Matt Taggart wrote:
> The bug in HP's integrated Lights Out 2 (iLO2) that was causing problems when 
> connecting with openssh has been fixed in the iLO2 firmware.

This is good to hear. Thanks.

I just got James Troup to test this, and found that it advertises:

  debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1

In other words, *exactly the same version string* as the broken version.
What possessed HP to fix this bug but not change the version, so that it
is now impossible for OpenSSH to work around the broken versions in the
usual way?

Any chance you could raise an internal bug to get the version changed in
the next firmware revision?

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #60 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: Colin Watson <cjwatson@debian.org>

Cc: Matt Taggart <taggart@debian.org>, 343896@bugs.debian.org

Subject: Re: Bug#343896: ilo ssh bug fixed

Date: Tue, 17 Jul 2007 15:28:36 -0700

Colin Watson writes...

> Any chance you could raise an internal bug to get the version changed in
> the next firmware revision?

Thanks for the suggestion.

I sent it to the iLO2 Product Manager who forwarded it to the developer who 
owns the iLO2 ssh, to be fixed in a future version. I will let you know 
when the fix goes in a release.

-- 
Matt Taggart
taggart@debian.org

Message #65 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Matt Taggart <taggart@debian.org>, 343896@bugs.debian.org

Subject: Re: Bug#343896: ilo ssh bug fixed

Date: Wed, 18 Jul 2007 09:28:20 +0100

On Tue, Jul 17, 2007 at 03:28:36PM -0700, Matt Taggart wrote:
> I sent it to the iLO2 Product Manager who forwarded it to the developer who 
> owns the iLO2 ssh, to be fixed in a future version. I will let you know 
> when the fix goes in a release.

Much appreciated.

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #72 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 343896@bugs.debian.org

Subject: ssh iLO bug

Date: Tue, 10 Jun 2008 15:52:07 -0700

Following up on #343896...

The advertised ssh version string is still the same in the most recent 
version of firmware (v1.50 for ilo2). I sent another ping to the people who 
own it.

-- 
Matt Taggart
taggart@debian.org

Message #77 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 343896@bugs.debian.org

Subject: ssh iLO bug

Date: Mon, 21 Jul 2008 23:03:18 -0700

More follow up on #343896...

1.) I reported previously that the ilo/openssh bug was fixed for iLO2 in 
iLO2 firmware version 1.24.  I just discovered that for iLO1 it was fixed 
in iLO1 firmware version 1.92, released 9 May 2008.

2.) As of 21 July 2008, the latest version of iLO2 is 1.50 and the latest 
version of iLO1 is 1.92. Neither have adjusted their ssh banner strings to 
a newer version that would allow ssh to work around the bug in older 
versions. I will keep checking as new versions are released.

-- 
Matt Taggart
taggart@debian.org

Message #82 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 343896@bugs.debian.org

Subject: HP ilo ssh support

Date: Wed, 01 Oct 2008 15:31:09 -0700

Hi, 

This is a status update on #343896, regarding openssh-client support when 
connecting to HP integrated Lights Out management processors.

As of October 1, 2008:

* The latest firmware version for ilo1 is 1.92 (9 May 2008) and it works 
properly with recent versions of openssh-client. However it still uses the 
"mpSSH_0.0.1" version string, so it's not possible for openssh to 
differentiate. I don't know if they plan to fix this one, given it's age 
they may no longer care (although there are still tons of them deployed).

* The latest firmware version for ilo2 is 1.61 (B) (26 Sep 2008) and it 
works properly with recent versions of openssh-client. It also now uses a 
new version string of "mpSSH_0.1.0" which may help in differentiating the 
problem versions.

Thanks,

-- 
Matt Taggart
taggart@debian.org

Message #87 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Micah Anderson <micah@riseup.net>

To: 343896@bugs.debian.org

Subject: Doesn't work with lenny/sid version of ssh

Date: Wed, 29 Oct 2008 18:27:47 -0400

As it turns out, using the 1.92 firmware for the ilo with the lenny/sid
version of openssh (1:5.1p1-3), doesn't work, please find my ssh -vvv
output below. I tried the various workarounds suggested here with no
luck:

OpenSSH_5.1p1 Debian-3, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/micah/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 203.234.253.169 [203.234.253.169] port 22.
debug1: Connection established.
debug1: identity file /home/micah/.ssh/identity type -1
debug3: Not a RSA1 key file /home/micah/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/micah/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/micah/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1
debug1: no match: mpSSH_0.0.1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: 3des-cbc,aes128-cbc
debug2: kex_parse_kexinit: 3des-cbc,aes128-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 522/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /home/micah/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 306
debug1: Host '203.234.253.169' is known and matches the RSA host key.
debug1: Found key in /home/micah/.ssh/known_hosts:306
debug2: bits set: 511/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/micah/.ssh/id_rsa (0xb9e27a58)
debug2: key:  (0xb9e28858)
debug2: key: /home/micah/.ssh/identity ((nil))
debug2: key: /home/micah/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: password,publickey
debug3: start over, passed a different list password,publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/micah/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: password,publickey
debug1: Offering public key: 
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: password,publickey
debug1: Trying private key: /home/micah/.ssh/identity
debug3: no such identity: /home/micah/.ssh/identity
debug1: Trying private key: /home/micah/.ssh/id_dsa
debug3: no such identity: /home/micah/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
Administrator@203.234.253.169's password: 
debug3: packet_send2: adding 48 (len 69 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: tty_make_modes: ospeed 38400
debug3: tty_make_modes: ispeed 38400
debug1: Sending environment.
debug3: Ignored env SHELL
debug3: Ignored env USER
debug3: Ignored env LIBGL_DRIVERS_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env GNOME_KEYRING_SOCKET
debug3: Ignored env USERNAME
debug3: Ignored env PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env GDM_XSERVER_LOCATION
debug3: Ignored env PWD
debug3: Ignored env GNOME_KEYRING_PID
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env GDM_LANG
debug3: Ignored env GDMSESSION
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env WINDOWPATH
debug3: Ignored env DISPLAY
debug3: Ignored env XAUTHORITY
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env OLDPWD
debug3: Ignored env SDL_VIDEO_X11_DGAMOUSE
debug3: Ignored env _
debug3: Ignored env WINDOWID
debug3: Ignored env COLORFGBG
debug3: Ignored env COLORTERM
debug3: Ignored env TERM
debug3: Ignored env PROMPT
debug3: Ignored env RPROMPT
debug3: Ignored env DEBSIGN_KEYID
debug3: Ignored env DEBEMAIL
debug3: Ignored env DEBFULLNAME
debug3: Ignored env LESS
debug3: Ignored env EDITOR
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 1048576 rmax 2048
Received disconnect from 203.234.253.169: 11:  Client Disconnect

Message #92 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 343896@bugs.debian.org

Subject: openssh-client not working with ilo1

Date: Wed, 29 Oct 2008 15:47:38 -0700

I can repeat the bug micah reported, also using ilo1 firmware version 1.92 
and openssh-client version 1:5.1p1-3.

-- 
Matt Taggart
taggart@debian.org

Message #101 received at 343896@bugs.debian.org (full text, mbox, reply):

From: mimo <mimo@restoel.net>

To: 343896@bugs.debian.org

Subject: Workaround

Date: Wed, 26 Aug 2009 14:36:36 +0100

This works for me on etch
unset LANG ; ssh -o ForwardAgent=no user@box


ii  openssh-server                    4.3p2-9etch3                      Secure 
shell server, an rshd replacement


mimo

Message #106 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: 343896@bugs.debian.org

Subject: Re: no longer works with HP iLO

Date: Fri, 20 Mar 2015 09:27:30 +0800

[Message part 1 (text/plain, inline)]

On Sun, 18 Dec 2005 17:28:40 +0100 Wichert Akkerman wrote:

> Something changed very recently which broke ssh when dealing with HP iLO
> interfaces. This is problematic since iLO is used to manage a fair
> number of debian.org servers. This is the debugging output:

For those of you experiencing this issue still, switching from OpenSSH
to PuTTY appears to workaround whatever the issue is in HP iLO firmware.

I have this issue with the saens.debian.org HP iLO but it stops earlier:

...
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
Received disconnect from UNKNOWN: 2:  Client Disconnect

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Message #111 received at 343896@bugs.debian.org (full text, mbox, reply):

From: "Stellvertretender Sachbearbeiter Mail & Media GmbH" <m.lerch@fact-systems.com>

To: "343896" <343896@bugs.debian.org>

Subject: Automatische Lastschrift konnte nicht durchgeführt werden 19.03.2015

Date: Fri, 20 Mar 2015 04:49:11 GMT

[Message part 1 (text/plain, inline)]

Sehr geehrter Kunde,

das von Ihnen angegebene Bankkonto wurde im Moment der Abbuchung nicht ausreichend gedeckt um die Kontoabbuchung auszuführen. Sie haben eine ungedeckte Rechnung beim Unternehmen Mail & Media GmbH. 

Aufgrund des andauernden Zahlungsausstands sind Sie verpflichtet dabei, die durch unsere Beauftragung entstandenen Gebühren von 24,63 Euro zu bezahlen. Wir erwarten die Zahlung inklusive der Zusatzgebühren bis zum 23.03.2015 auf unser Girokonto. Namens unseren Mandanten ordnen wir Ihnen an, die offene Gesamtforderung unverzüglich zu bezahlen. 

Es erfolgt keine weitere Erinnerung oder Mahnung. Nach Ablauf der festgelegten Frist wird die Akte dem Staatsanwalt und der Schufa übergeben. Die vollständige Forderungsausstellung, der Sie alle Einzelpositionen entnehmen können, fügen wir bei. Für Rückfragen oder Reklamationen erwarten wir eine Kontaktaufnahme innerhalb des gleichen Zeitraums 

Mit besten Grüßen

Stellvertretender Sachbearbeiter Khlesl Noah

[Forderung vom 19.03.2015 - Stellvertretender Sachbearbeiter Mail & Media GmbH.zip (application/octet-stream, attachment)]

Message #116 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Harald Staub <harald.staub@switch.ch>

To: 343896@bugs.debian.org

Subject: workaround

Date: Fri, 20 Mar 2015 10:22:43 +0100

Some ssh options that may help:
ssh -o HostKeyAlgorithms=ssh-rsa -o MACs=hmac-md5

Also useful: -o PubkeyAuthentication=no

Cheers
 Harry

Message #126 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Alexander Zangerl <az@snafu.priv.at>

To: 343896@bugs.debian.org

Subject: openssh - ilo workarounds

Date: Sat, 12 Sep 2015 12:50:15 +1000

[Message part 1 (text/plain, inline)]

just a data point: with jessie's openssh setting HostKeyAlgorithms=ssh-rsa
is no longer sufficient to connect to ilo 1 systems.

according to the discussion at

http://h30499.www3.hp.com/t5/ITRC-Remote-Lights-Out-Mgmt-iLO/Unable-to-SSH-to-iLO2-with-OpenSSH-6-2/td-p/6050925

the problem is that ilo is fairly dumb; it neither ignores unsupported
ciphers/macs/options nor does it support any reasonable payload sizes.

openssh up to 6.0 worked with just limiting the host key algorithm,
openssh 6.7 offers way more options by default which exceeds ilo's
payload size, and it just disconnects during the key exchange/negotiation
phase.

hp seems to have fixed this for ilo 2 recently, but not for ilo 1.

for the few ilo 1 systems i've got to connect to every now and then
i've had to pare down the negotiation options to the following working
bare minimum:

HostKeyAlgorithms ssh-rsa,ssh-dss
KexAlgorithms diffie-hellman-group1-sha1
Ciphers aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1

regards
az


-- 
Alexander Zangerl + GPG Key 0xB963BD5F (or 0x42BD645D) + http://snafu.priv.at/
Hal, open the file Hal, open the damn file, Hal open the, please Hal

[signature.asc (application/pgp-signature, inline)]

Message #131 received at 343896@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 343896@bugs.debian.org

Subject: iLO workarounds

Date: Sat, 12 Sep 2015 16:26:30 -0700

This bug is coming up on it's TEN YEAR anniversary!

HP has had 10 years to fix the broken ssh implementations in these devices. 
They no longer care about these older products, and even the slightly newer 
devices fail to support modern crypto and have other bugs.

I think this bug can continue to document work-arounds but should be tagged 
wontfix and no priority placed on compatibility with these old broken 
products. (still possible currently, but sha1, 3des, md5, cbc, etc. will 
eventually be disabled and will stop)

Hopefully this will also serve as an example to HP and other vendors that 
choosing to use proprietary firmware on these devices is both inferior and 
not as cost effective. If they had used something like dropbear for the ssh 
implemention there would be no compatibility problems and they'd also have 
support for all the latest crypto.

Here's an idea for HP: they are working on new IoT software stacks that 
will use FOSS technologies and prioritize security. As a demonstratation of 
these new software stacks, why not port them to older iLO devices first. 
iLO devices could be considered some of the first IoT devices :)

-- 
Matt Taggart
taggart@debian.org

Send a report that this bug log contains spam.