Subject: Re: lib/32183: can't connect anymore with -current ssh/sshd on amd64
To: Christos Zoulas <christos@zoulas.com>
From: Nicolas Joly <njoly@pasteur.fr>
List: netbsd-bugs
Date: 11/28/2005 17:58:12
On Mon, Nov 28, 2005 at 11:29:49AM -0500, Christos Zoulas wrote:
> On Nov 28, 4:17pm, njoly@pasteur.fr (njoly@pasteur.fr) wrote:
> -- Subject: lib/32183: can't connect anymore with -current ssh/sshd on amd64
>
> | >Number: 32183
> | >Category: lib
> | >Synopsis: can't connect anymore with -current ssh/sshd on amd64
> | >Confidential: no
> | >Severity: critical
> | >Priority: high
> | >Responsible: lib-bug-people
> | >State: open
> | >Class: sw-bug
> | >Submitter-Id: net
> | >Arrival-Date: Mon Nov 28 16:17:00 +0000 2005
> | >Originator: Nicolas Joly
> | >Release: NetBSD 3.99.12
> | >Organization:
> | Institut Pasteur, Paris.
> | >Environment:
> | System: NetBSD lanfeust.sis.pasteur.fr 3.99.12 NetBSD 3.99.12 (LANFEUST) #6: Mon Nov 28 15:35:05 CET 2005 njoly@lanfeust.sis.pasteur.fr:/local/src/NetBSD/obj/amd64/sys/arch/amd64/compile/LANFEUST amd64
> | Architecture: x86_64
> | Machine: amd64
> | >Description:
> | With recent openssl update, i can't connect from/to my NetBSD/amd64 box
> | anymore. All connections fails with the same message:
> |
> | njoly@lanfeust [~]> ssh -v xxx.sis.pasteur.fr
> | OpenSSH_4.0 NetBSD_Secure_Shell-20050423, OpenSSL 0.9.8a 11 Oct 2005
> | debug1: Reading configuration data /home/njoly/.ssh/config
> | debug1: Reading configuration data /etc/ssh/ssh_config
> | debug1: Applying options for *
> | debug1: Connecting to xxx.sis.pasteur.fr [157.99.60.xxx] port 22.
> | debug1: Connection established.
> | debug1: identity file /home/njoly/.ssh/identity type -1
> | debug1: identity file /home/njoly/.ssh/id_rsa type 1
> | debug1: identity file /home/njoly/.ssh/id_dsa type -1
> | debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1
> | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.*
> | debug1: Enabling compatibility mode for protocol 2.0
> | debug1: Local version string SSH-2.0-OpenSSH_4.0 NetBSD_Secure_Shell-20050423
> | debug1: SSH2_MSG_KEXINIT sent
> | debug1: SSH2_MSG_KEXINIT received
> | debug1: kex: server->client aes128-cbc hmac-md5 none
> | debug1: kex: client->server aes128-cbc hmac-md5 none
> | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> | debug1: Host 'xxx.sis.pasteur.fr' is known and matches the RSA host key.
> | debug1: Found key in /home/njoly/.ssh/known_hosts:15
> | RSA_public_decrypt failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> | debug1: ssh_rsa_verify: signature incorrect
> | key_verify failed for server_host_key
> |
> | I checked that all `openssl speed' tests pass correctly ... It worked
> | perfectly before recent openssl update.
> |
> | >How-To-Repeat:
> | Try to connect from or to a -current NetBSD/amd64 box using ssh.
> | >Fix:
> | Don't know.
>
> Does make regress in /usr/src/lib/libcrypto pass?
Don't know. I just removed all obj, and started a fresh build.
Looks like my previous build (MKUPDATE=YES) has made some mistakes by
linking with 2 libcrypto versions at the same time ...
njoly@lanfeust [NetBSD/src]> ldd /usr/bin/ssh
/usr/bin/ssh:
-lgssapi.5 => /usr/lib/libgssapi.so.5
-lcrypt.0 => /usr/lib/libcrypt.so.0
-lcrypto.2 => /usr/lib/libcrypto.so.2
-lasn1.6 => /usr/lib/libasn1.so.6
-lcom_err.4 => /usr/lib/libcom_err.so.4
-lroken.12 => /usr/lib/libroken.so.12
-lkrb5.20 => /usr/lib/libkrb5.so.20
-lkafs.6 => /usr/lib/libkafs.so.6
-ldes.7 => /usr/lib/libdes.so.7
-lkrb.6 => /usr/lib/libkrb.so.6
-lz.0 => /usr/lib/libz.so.0
-lssh.2 => /usr/lib/libssh.so.2
-lcrypto.3 => /usr/lib/libcrypto.so.3
-lc.12 => /usr/lib/libc.so.12
njoly@lanfeust [NetBSD/src]> ll /lib/libcrypto*
lrwxr-xr-x 1 root wheel 16 Nov 28 15:55 /lib/libcrypto.so -> libcrypto.so.3.0
lrwxr-xr-x 1 root wheel 16 Nov 23 16:18 /lib/libcrypto.so.2 -> libcrypto.so.2.2
-r--r--r-- 1 root wheel 1489335 Nov 21 11:17 /lib/libcrypto.so.2.2
lrwxr-xr-x 1 root wheel 16 Nov 28 15:55 /lib/libcrypto.so.3 -> libcrypto.so.3.0
-r--r--r-- 1 root wheel 1768592 Nov 28 15:53 /lib/libcrypto.so.3.0
Will wait until it finish and report.
--
Nicolas Joly
Biological Software and Databanks.
Institut Pasteur, Paris.