Bug 60924 - openssh fails to connect to or from old clients
openssh fails to connect to or from old clients
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-03-09 00:17 EST by Anthony Rumble
Modified: 2007-04-18 12:40 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-03 07:10:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Rumble 2002-03-09 00:17:35 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.7) Gecko/20011226

Description of problem:
connecting to or from 1.x version of openssh fails with Disconnecting: Corrupted
check bytes on input

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.ssh from v1.x openssh client to new 3.1p1-1 server
2.or ssh to a v1.x server from a v3.1p1-1 server
3.
	

Actual Results:  (with -v).
... stuff deleted here
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
Disconnecting: Corrupted check bytes on input.
debug1: Calling cleanup 0x8061038(0x0)
... end

Expected Results:  It should have connected and authenticated further.

Additional info:

It happens with the RPM's for 7.2, 7.1, 7.0 (and my back ported 6.2) RPMs.

Need to test if this is a packaging problem, or an OpenSSH bug.
Haven't tested other non-x86 platform yet, will do when I get my
alpha booted up.
Comment 1 Anthony Rumble 2002-03-09 01:01:05 EST
Ok. Ill take that back.. it seems to ONLY be happening in my 6.2 back port
of the Redhat SRPMS..

Wierd..

Damn these old 6.2 sites I have to support..

Something very strange going on here though..

Heres the 6.2 binary connecting to a 1.x server..

... stuff deleted ...
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
... deleted...

and heres a 7.1 client talking to the 1.x server..

... stuff deleted ...
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
Disconnecting: Corrupted check bytes on input.
debug1: Calling cleanup 0x8061038(0x0)
.. end ..

It seems to not be setting that key len..

Notes here.. running RH 6.2 all errata installed
and openssl-0.9.6-9 back-ported.

Any ideas?
Comment 2 Anthony Rumble 2002-03-09 01:02:03 EST
sorry.. last examples are around the wrong way..
Comment 3 Anthony Rumble 2002-03-09 01:59:39 EST
Ok. I think I have gotten to the bottom of this now.
It seems the openssl095a patch that is turned on when you set
the RH 6.x open in the spec file removes some code that seems
to be important for openssh 3.xx.

I removed this patch, and used openssl-0.9.6-9 (same as you have done
for RH 7.1, with the openssl095a rpm to link for older stuff)..

And that fixed it fine.

Redhat have not maintained OpenSSH for RH 6.2, as it never origionally
came with 6.2, however, there are a LOT of sites out there using 6.2
and using OpenSSH.. a 6.2-crypto channel in RHN would be REALLY nice.
Comment 4 Anders Hermansen 2002-03-11 10:28:54 EST
Can you please give a little more detail's about what you did to fix this 
problem. I did not quite understand the last comment.

I have the excact same problem as you have described.


Thanks,
Anders Hermansen
Comment 5 Anthony Rumble 2002-03-11 17:03:48 EST
No problem, I've put my RPM's of openssl, and openssh (including SRPMS) here.
http://www.linuxhelp.com.au/downloads/openssh/6.2/

The openssl rpm's have an openssl095a rpm this is required to keep
the dependancies of existing SSL applications.

You will need to use --upgrade on them as one..
Ie/ rpm --upgrade openssl-0.9.6-9.i386.rpm openssl095a-0.9.5a-9.i386.rpm
This is to satisfy the dependancy tree.

Please grab the SRPMS and compile them yourself if you have the time/knowhow.

As for what I did.. I back ported openssl-0.9.6-9 and openssl095a-0.9.5a from
the RH 7.1 errata. Then in the spec file of openssh-3.1p1-1, I commented out
patch 9 titled "openssl095a", and rebuilt.

Anthony
Comment 6 Anders Hermansen 2002-03-12 09:41:43 EST
That did the trick! Thanks!
Comment 7 Alec Voropay 2002-03-14 06:59:38 EST
Thank you! I have to support a lot of RHs 6.2 on Sparc platform (there is no 
official RH >6.2 for this platform). See my bug 61146. I'll try your patches 
ASAP. However, there is newer openssh-3.1p1-2 on RawHide.

P.S. The "standart way" to mark back-ported SRPMS to specific RH version is to 
give them extension: like openssh-3.1p1-2.6.2.src.rpm  or openssh-3.1p1-
2.6.x.src.rpm . Try http://www.rpmfind.net/

Comment 8 Tomas Mraz 2005-02-03 07:10:45 EST
This is not supported by Red Hat.

Note You need to log in before you can comment on or make changes to this bug.