Thread: SSH Help
View Single Post
Old 02-24-2012, 08:42 AM   #74
knc1
Helpdesk Junkie
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 6,818
Karma: 6314522
Join Date: Feb 2012
Device: Too many.
Quote:
Originally Posted by sjheiss View Post
It was working fine for awhile, but now it's back to taking a long time to connect, if ever connecting, so I'll try that now that I have a working Linux distro available to me.

EDIT: OK, Here is my log:

Code:
[root@Sean-Fedora sean]# ssh -vv 192.168.2.2
OpenSSH_5.8p1, OpenSSL 1.0.0g-fips 18 Jan 2012
That is one cause of the delay, your OpenSSH is built against the FIPS validated OpenSSL which has to undergo its self testing at every startup of every instance even if OpenSSH never sets "FIPS_MODE=1" (check your environment strings).

Unless you are in an environment that demands the use of the FIPS validated OpenSSL library (such as a private or government agency) - try a copy of OpenSSH built against the non-validated OpenSSL.

Code:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.2.2 [192.168.2.2] port 22.
This is where a reverse lookup was attempted. Put (your choice of names):
# IP ADDRESS # FQD - unregistered is ok # local name(s) - more than one allowed.
192.168.2.2 kindle.my.domain kindle
in your client side, /etc/hosts

Code:
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: SELinux support enabled
This is part of having the OpenSSH built for use in a high security environment.
Same comment as above about FIPS. If your not required to use it....

Code:
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
Using a local identity file and public key authentication is __much__ faster.
I am surprised that no one has written up a how-to on this, will see if I can fill that void later today.

Code:
debug1: Remote protocol version 2.0, remote software version dropbear_0.53.1
debug1: no match: dropbear_0.53.1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
That is the version string of a "locally built" OpenSSH, probably done by your security manager when they built the FIPS-enabled OpenSSH.
Edit: My eye just caught your PS1 prompt - this is a copy of Fedora, a very security aware distribution. Well somebody has to deal with it, I guess we can tackle it in this thread.

Code:
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc
debug2: kex_parse_kexinit: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc
debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: zlib,zlib@openssh.com,none
debug2: kex_parse_kexinit: zlib,zlib@openssh.com,none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug2: dh_gen_key: priv key bits set: 138/256
debug2: bits set: 965/2048
The FIPS enabled library -
Non-FIPS would have set 125/256 and 502/1024
It takes significant cpu and /dev/random to find and set these larger keys.

Code:
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA 4e:30:f8:bf:3e:92:b6:ad:18:21:b3:47:95:9e:02:30
The authenticity of host '192.168.2.2 (192.168.2.2)' can't be established.
RSA key fingerprint is 4e:30:f8:bf:3e:92:b6:ad:18:21:b3:47:95:9e:02:30.
Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.2.2' (RSA) to the list of known hosts.
debug2: bits set: 1013/2048
Would be 522/1024 for a non-FIPS build. Same comment as above.

Code:
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))

Welcome to Kindle!

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
With an identity file and public key access, you would be done here.

Code:
debug1: Next authentication method: password
root@192.168.2.2's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 192.168.2.2 ([192.168.2.2]:22).
Another reverse lookup that could be fixed by the /etc/hosts entry.

Code:
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: fd 3 setting TCP_NODELAY
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env XMODIFIERS = @im=none
debug2: channel 0: request env confirm 0
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 24576 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  # 
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################
[root@kindle root]#

Translation:
Set a address/name pair in /etc/hosts (as the other poster suggested)

Use public key authentication with an identity file on your client machine, the public key on the Kindle.

Find a copy of OpenSSH not built against the FIPS-140 validated OpenSSL and use that (if allowed within your organization).
Edit: Under the Fedora distribution, this last may not be practical, but it is still valid, general advice.

Last edited by knc1; 02-24-2012 at 09:29 AM.
knc1 is offline   Reply With Quote