Hi all,
I have a very strange problem. In my network i am configuring a communication server.
Situation:
I have three servers
Server 1: Solaris 8 server with SSH client: OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
Server 2: Solaris 8 server with SSH Client: OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6g 9 Aug 2002
Server 3: RedHat AS3 with ssh deamon: OpenSSH_3.6.1p2
The sshd has the following configuration file:
------------------------------------------------------------------------
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
#ShowPatchLevel no
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
#Banner /etc/motd.ssh
------------------------------------------------------------------------
When i login to the server via ssh from server 1 to server 3 everything works fine:
But when i login from server 2 to server 3 i get nothing:
See output of ssh -vv below:
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6g 9 Aug 2002
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to x.x.x.5 [x.x.x.5] port 22.
In the logging of /var/log/secure on the server (sshd with debugging on) i see the following:
Jun 2 16:04:33 Server3 sshd[10152]: Did not receive identification string from x.x.x.9
Jun 2 16:04:33 Server3 sshd[10152]: debug1: Calling cleanup 0x806f000(0x0)
Jun 2 16:04:33 Server3 sshd[10153]: Connection from x.x.x.9 port 56678
These message normally are shown when someone does a port scan or something else nasty to your server,
but since i am the only nasty guy connecting to server3 that should not be the problem
I have checked the source of sshd ( thats a place i don't normally come, but OK) and have found this":
374 if (client_version_string == NULL) {
375 /* Send our protocol version identification. */
376 if (atomicio(write, sock_out, server_version_string,
377 strlen(server_version_string))
378 != strlen(server_version_string)) {
379 log("Could not write ident string to %s", get_remote_ipaddr());
380 fatal_cleanup();
381 }
382
383 /* Read other sides version identification. */
384 memset(buf, 0, sizeof(buf));
385 for (i = 0; i < sizeof(buf) - 1; i++) {
386 if (atomicio(read, sock_in, &buf[i], 1) != 1) {
387 log("Did not receive identification string from %s",
388 get_remote_ipaddr());
389 fatal_cleanup();
390 }
391 if (buf[i] == '\r') {
392 buf[i] = 0;
393 /* Kludge for F-Secure Macintosh < 1.0.2 */
394 if (i == 12 &&
395 strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
396 break;
397 continue;
398 }
399 if (buf[i] == '\n') {
400 buf[i] = 0;
401 break;
402 }
403 }
404 buf[sizeof(buf) - 1] = 0;
405 client_version_string = xstrdup(buf);
406 }
It looks to me that the sshd exits in line 380. So i have isolated the problem (i Think)
I need server 2 to connect to server 3 and i dont have the luxury of just updating everything to the highest version.
Impact on other service is very big!!
The question now remains: HOW DO I SOLVE IT?
Anyone have some ideas?