ssh2 problems with SuSE 8.1
Hello, since the update from SuSE 8.0 to 8.1 i have no chance to connect to my linux box via ssh protocol version 2. Protocol 1 is no problem, i get a login immediately. The problem exists even when i try to get a connect on the same machine, any way if to the localhost or to the network interface. And the problem seems to be with the sshd server, because i have the same problem with connects from a linux notebook (SuSE 8.0) and from a Win2k-PC. De- and reinstalling openSSH and even openSSL have not been successful at all. Anybody out there with the same problem and perhaps a solution?!? Kind regards, Dirk -- Dirk Janssen | Fon: +49 (0)641 9502070 | PGP-Key available Giessen, Germany | Fax: +49 (0)641 9502071 | at pgp@dja-it.de
Hi, On Mon, Oct 14, 2002 at 01:05:25AM +0200, Dirk Janssen wrote:
since the update from SuSE 8.0 to 8.1 i have no chance to connect to my linux box via ssh protocol version 2. Protocol 1 is no problem, i get a [...] Anybody out there with the same problem and perhaps a solution?!?
<aol>me too</aol>, and it looks like that (from a 7.3 system to the 8.1): omega:~ # ssh -v root@195.x.x.x OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to 195.x.x.x [195.x.x.x] port 22. debug1: Connection established. debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug1: SSH2_MSG_KEXINIT sent [than sleeps forever] with the "-1" flag, no problems. Regards, Olivier -- _________________________________________________________________ Olivier Mueller - om@8304.ch - PGPkeyID: 0E84D2EA - Switzerland qmail projects: http://omail.omnis.ch - http://webmail.omnis.ch
Olivier M. wrote:
debug1: Local version string SSH-2.0-OpenSSH_3.3 debug1: SSH2_MSG_KEXINIT sent [than sleeps forever]
with the "-1" flag, no problems.
what shows the logs on the server? anything? what if you start the sshd in debugmode on another port? maybe something will give a hint. Regards
On Mon, Oct 14, 2002 at 01:15:52AM +0200, Olivier M. wrote:
debug1: Local version string SSH-2.0-OpenSSH_3.3 debug1: SSH2_MSG_KEXINIT sent [than sleeps forever]
I don't believe you actually tried out that last statement. A friend of mine told me that he had to wait for 5 or 15 minutes and then everything continued at full speed - note: I haven't had that problem myself - but I do have some kerberos (aka heimdal) packages installed. Maybe you don't and it's compiled with some of that stuff in? Just an idea. Ciao Jörg -- Joerg Mayer <jmayer@loplof.de> I found out that "pro" means "instead of" (as in proconsul). Now I know what proactive means.
On Mon, Oct 14, 2002 at 04:10:42AM +0200, Joerg Mayer wrote:
On Mon, Oct 14, 2002 at 01:15:52AM +0200, Olivier M. wrote:
debug1: Local version string SSH-2.0-OpenSSH_3.3 debug1: SSH2_MSG_KEXINIT sent [than sleeps forever]
I don't believe you actually tried out that last statement. A friend of mine told me that he had to wait for 5 or 15 minutes and then everything continued at full speed - note: I haven't had that problem myself - but I do have some kerberos (aka heimdal) packages installed. Maybe you don't and it's compiled with some of that stuff in? Just an idea.
The problem is that we added Kerberos/GSSAPI support for Version 2, and it seems Heimdal will do excessive DNS lookups for various Kerberos related names. If you have no Kerberos, it hangs. We've prepared a patch and will release it shortly. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Any way (an option in config files etc) to disable that support for those who don't need that? Regards Eduard
The problem is that we added Kerberos/GSSAPI support for Version 2, and it seems Heimdal will do excessive DNS lookups for various Kerberos related names. If you have no Kerberos, it hangs.
We've prepared a patch and will release it shortly.
Olaf
__________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com
On Mon, Oct 14, 2002 at 03:52:27AM -0700, Eduard Avetisyan wrote:
Any way (an option in config files etc) to disable that support for those who don't need that?
Yes and no. There are options, but they don't keep the ssh client from trying to initialize GSSAPI and thereby Kerberos. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Roll yer own... ehhh.. compile your own :) sorry couldnt resist :) Actually, compiling a "secure" ssh, with only the options that you really need (want, use ...), is a good option for people who know what they are doing. Although the "fat" packages are nice and easy to install, i usually prepare my own packages for Apache and SSH for production servers. peace, Tom
Any way (an option in config files etc) to disable that support for those who don't need that?
Yes and no. There are options, but they don't keep the ssh client from trying to initialize GSSAPI and thereby Kerberos.
Olaf
participants (7)
-
Eduard Avetisyan -
Joerg Mayer -
linux@dja-it.de -
Olaf Kirch -
Olivier M. -
Sven 'Darkman' Michels -
Thomas Seliger