[rancid] Issues with the latest version of OpenSSH and Rancid 3.2-2.

Discussion:

S***@cpu.ca

2015-12-28 20:36:44 UTC

Hi all,

I upgraded my debian os to the latest version and I saw there is an issue with the latest version of OpenSSH.

dpkg -l | grep openssh
ii openssh-client 1:7.1p1-5 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.1p1-5 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.1p1-5 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machine

I got this error...

bin/flogin tr.1
tr.1
spawn ssh -c 3des -x -l cpu_backup tr.1
Unknown cipher type '3des'

Error: Couldn't login

Anyone ever had this problem ?
How did fix it ?

Thanks you very much and merry christmas. ;)

Sébastien

Lee

2015-12-28 20:55:08 UTC

Permalink

Hi,

Post by S***@cpu.ca
Hi all,
I upgraded my debian os to the latest version and I saw there is an issue
with the latest version of OpenSSH.
dpkg -l | grep openssh
ii openssh-client 1:7.1p1-5 amd64
secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.1p1-5 amd64
secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.1p1-5 amd64
secure shell (SSH) sftp server module, for SFTP access from remote
machine
I got this error...
bin/flogin tr.1
tr.1
spawn ssh -c 3des -x -l cpu_backup tr.1
Unknown cipher type '3des'
Error: Couldn't login
Anyone ever had this problem ?
How did fix it ?

change cyphertype in ~/.cloginrc to aes256-cbc - ie.

add method * {ssh}
# add cyphertype * {3des}
add cyphertype * {aes256-cbc}

Regards,
Lee

S***@cpu.ca

2015-12-28 21:30:32 UTC

Permalink

WOW. Thanks for your very fast answer. It's appreciate.
It works perfectly...

AND for that, do you have a clue Lee ?

bin/flogin b.10.10.84.8
b.10.10.84.8
spawn ssh -1 -c aes256-cbc -x -l admin b.10.10.84.8
ssh1 is not supported

Error: Couldn't login

Sébastien Boulianne

-----Message d'origine-----
De : Lee [mailto:***@gmail.com]
Envoyé : 28 décembre 2015 15:55
À : Sebastien Boulianne <***@cpu.ca>
Cc : rancid-***@shrubbery.net
Objet : Re: [rancid] Issues with the latest version of OpenSSH and Rancid 3.2-2.

Hi,

Post by S***@cpu.ca
Hi all,
I upgraded my debian os to the latest version and I saw there is an
issue with the latest version of OpenSSH.
dpkg -l | grep openssh
ii openssh-client 1:7.1p1-5 amd64
secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.1p1-5 amd64
secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.1p1-5 amd64
secure shell (SSH) sftp server module, for SFTP access from remote
machine
I got this error...
bin/flogin tr.1
tr.1
spawn ssh -c 3des -x -l cpu_backup tr.1 Unknown cipher type '3des'
Error: Couldn't login
Anyone ever had this problem ?
How did fix it ?

change cyphertype in ~/.cloginrc to aes256-cbc - ie.

add method * {ssh}
# add cyphertype * {3des}
add cyphertype * {aes256-cbc}

Regards,
Lee

Alan McKinnon

2015-12-28 21:50:54 UTC

Permalink

Now you have a real problem. I could be wrong on the details, I believe
debian now disables all support for ssh1 protocol in openssh-7 and
above. In other words, you will never use that ssh to log into that
device - the code is not there.

Do check the Changelogs for your distro, debian and derivatives are very
good at listing exactly what changed. If ssh1 support is indeed gone you
have three options:

Does flogin then attempt an ssh2 login which succeeds?
If so, you must modify flogin to prevent it trying ssh1 protocol.

Other than that, you have some options, none of them especially nice:

1. downgrade openssh on the rancid host to 6.x
2. replace the network device with something shipped this millenium
3. install the openssh sources and recompile with ssh1 support enabled

You were always going to have to deal with this sometime, now is a good
time. ssh1 should have died by fire 10 or more years ago

/alanm

Post by S***@cpu.ca
Sébastien Boulianne
-----Message d'origine-----
Envoyé : 28 décembre 2015 15:55
Objet : Re: [rancid] Issues with the latest version of OpenSSH and Rancid 3.2-2.
Hi,

Post by S***@cpu.ca
Hi all,
I upgraded my debian os to the latest version and I saw there is an
issue with the latest version of OpenSSH.
dpkg -l | grep openssh
ii openssh-client 1:7.1p1-5 amd64
secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.1p1-5 amd64
secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.1p1-5 amd64
secure shell (SSH) sftp server module, for SFTP access from remote
machine
I got this error...
bin/flogin tr.1
tr.1
spawn ssh -c 3des -x -l cpu_backup tr.1 Unknown cipher type '3des'
Error: Couldn't login
Anyone ever had this problem ?
How did fix it ?

change cyphertype in ~/.cloginrc to aes256-cbc - ie.
add method * {ssh}
# add cyphertype * {3des}
add cyphertype * {aes256-cbc}
Regards,
Lee
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

--
Alan McKinnon
***@gmail.com

S***@cpu.ca

2015-12-28 21:59:52 UTC

Permalink

I know that most devices use SSH2 but some are very old and I didn't find a recent firmware...
This switch is a HP ProCurve 2650.

ssh -2 -c aes256-cbc -x -l admin b.10.10.84.8
Protocol major versions differ: 2 vs. 1

Thanks.

Sébastien Boulianne

-----Message d'origine-----
De : Aaron Dudek [mailto:***@gmail.com]
Envoyé : 28 décembre 2015 16:55
À : Sebastien Boulianne <***@cpu.ca>
Cc : ***@gmail.com; rancid-***@shrubbery.net
Objet : Re: [rancid] Issues with the latest version of OpenSSH and Rancid 3.2-2.

Don't use ssh version 1. Most modern devices have moved to version 2

spawn ssh -1
-1 Forces ssh to try protocol version 1 only.

Verify that the device supports version 2 via ssh -2 -c aes256-cbc -x -l admin b.10.10.84.8 from the command line.

You can add -v -v -v to to the command to see the debug logs.

Aaron

Post by S***@cpu.ca
WOW. Thanks for your very fast answer. It's appreciate.
It works perfectly...
AND for that, do you have a clue Lee ?
bin/flogin b.10.10.84.8
b.10.10.84.8
spawn ssh -1 -c aes256-cbc -x -l admin b.10.10.84.8
ssh1 is not supported
Error: Couldn't login
Sébastien Boulianne
-----Message d'origine-----
Envoyé : 28 décembre 2015 15:55
latest version of OpenSSH and Rancid 3.2-2.
Hi,

Post by S***@cpu.ca
Hi all,
I upgraded my debian os to the latest version and I saw there is an
issue with the latest version of OpenSSH.
dpkg -l | grep openssh
ii openssh-client 1:7.1p1-5 amd64
secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.1p1-5 amd64
secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.1p1-5 amd64
secure shell (SSH) sftp server module, for SFTP access from remote
machine
I got this error...
bin/flogin tr.1
tr.1
spawn ssh -c 3des -x -l cpu_backup tr.1 Unknown cipher type '3des'
Error: Couldn't login
Anyone ever had this problem ?
How did fix it ?

Lee

2015-12-28 22:14:43 UTC

Permalink

You can try adding this line to your ~/.ssh/config

Protocol 2

and see if [whatever the device is] does ssh v2. If no, you're
probably stuck trying to find the openssh release notes & figuring out
how to enable v1 again..

Another problem I had after upgrading openssh, but darn if I can
remember what it was, was either fixed or worked-around by adding

KexAlgorithms +diffie-hellman-group1-sha1

to my ~/.ssh/config

Regards,
Lee

Post by S***@cpu.ca
Sébastien Boulianne
-----Message d'origine-----
Envoyé : 28 décembre 2015 15:55
Objet : Re: [rancid] Issues with the latest version of OpenSSH and Rancid
3.2-2.
Hi,

Post by S***@cpu.ca
Hi all,
I upgraded my debian os to the latest version and I saw there is an
issue with the latest version of OpenSSH.
dpkg -l | grep openssh
ii openssh-client 1:7.1p1-5 amd64
secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.1p1-5 amd64
secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.1p1-5 amd64
secure shell (SSH) sftp server module, for SFTP access from remote
machine
I got this error...
bin/flogin tr.1
tr.1
spawn ssh -c 3des -x -l cpu_backup tr.1 Unknown cipher type '3des'
Error: Couldn't login
Anyone ever had this problem ?
How did fix it ?

change cyphertype in ~/.cloginrc to aes256-cbc - ie.
add method * {ssh}
# add cyphertype * {3des}
add cyphertype * {aes256-cbc}
Regards,
Lee

Howard Jones

2015-12-29 10:40:21 UTC

Permalink

For a similar situation (I ended up resolving it a different way, but
this was the temporary fix), I built last years OpenSSH in /opt/oldssh.
When you build with GNU Configure, you can almost always add a --prefix
flag to have it build somewhere non-standard. Then RANCID allows you to
use the sshcmd directive in your .cloginrc to use /opt/oldssh/bin/ssh
instead of the system ssh.

Two things to note: you have last year's ssh bugs too, although that is
usually more of a risk with the server than client, and also be sure to
read the output from "./configure --prefix=/opt/oldssh" to make sure it
won't touch /etc at all too. Or just compile as the RANCID user, so that
it couldn't touch /etc even if it wanted to.

You may also find you can build the current openssh, but without the
(guessing the name) --without-ssh1 flag on configure.

Howard