LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   AIX (https://www.linuxquestions.org/questions/aix-43/)
-   -   AIX 7.1 ssh connection problem (https://www.linuxquestions.org/questions/aix-43/aix-7-1-ssh-connection-problem-4175449918/)

LinuxLover 02-12-2013 11:10 PM

AIX 7.1 ssh connection problem
 
Hi,
We were using AIX 5.3 on Power Servers. Now we installed few machines with AIX 7.1. On which we are facing that most of the ssh client (like RHEL 5 ssh client, secure shell client) are unable to login to AIX 7.1 box via ssh whereas putty client is able to login on same AIX 7.1 hosts.

Below is the debuging log from a RHEL 5 client ssh machine to AIX 7.1 server.

[kmumtaz]$ ssh -vvv 10.1.X.100
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.1.X.X [10.1.X.X] port 22.
debug1: Connection established.
debug1: identity file /home/kmumtaz/.ssh/identity type -1
debug1: identity file /home/kmumtaz/.ssh/id_rsa type -1
debug1: identity file /home/kmumtaz/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
debug1: match: OpenSSH_6.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 528/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
Connection closed by 10.1.X.100


Any Idea how to resolve the isse

linosaurusroot 02-13-2013 12:42 AM

Does this help? http://www.held.org.il/blog/2011/05/...reset-by-peer/

LinuxLover 02-13-2013 05:54 AM

After enabling auth.debug in AIX 7.1 syslog.conf file getting below error in log file while user try to connect from ssh cleint

Feb 13 13:27:15 node1 auth|security:crit sshd15204500: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc preauth

gpratt3151 04-18-2013 01:23 PM

Possible Solution
 
We have experienced the same problem. After much research it appears the cypher length is too big which causes the connection to die before proceeding further. You can test this theory by executing the following:
ssh -c aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, <HOSTNAME>

To permanently resolve, you should update the version of openssh client on your Linux host.

Good luck!

LinuxLover 04-22-2013 12:10 AM

Hi gpratt3151,

I forgot to update on this forum. I was able to resolve the problem after changing the cipher in client list.By default client was using archfour , after changing it to some other like blowfish etc now client are able to connect quite nicely. It seem that in AIX 7.1 they have tighten the rope towards security and weakness.


All times are GMT -5. The time now is 02:00 AM.