SSH incompatibility with Amazon OpsWorks [5]

SSH incompatibility with Amazon OpsWorks

Saturday, May 24, 2014 3:35 AM - Joe

Hi there,

i cannot logint to a newly created OpsWorks VM with XShell, i could login with putty though.

This is an Ubuntu VM. In the auth log i can see this:
May 23 13:43:44 java-app1 sshd[4949]: error: bad sig size 32 32
May 23 13:43:44 java-app1 sshd[4949]: fatal: mm_answer_sign: key_sign failed
May 23 13:44:30 java-app1 sshd[4967]: error: bad sig size 32 32
May 23 13:44:30 java-app1 sshd[4967]: fatal: mm_answer_sign: key_sign failed
May 23 13:44:42 java-app1 sshd[4969]: error: bad sig size 32 32
May 23 13:44:42 java-app1 sshd[4969]: fatal: mm_answer_sign: key_sign failed


With trace and log enabled in XShell i can see this in the log:
Connecting to xxx.xxx.xxx.xxx:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+G'.
[12:34:07] Version exchange initiated...
[12:34:07] server: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
[12:34:07] client: SSH-2.0-nsssh2_4.0.0031 NetSarang Computer, Inc.
[12:34:07] SSH2 is selected.
[12:34:07] Algorithm negotiation initiated...
[12:34:07] key exchange: diffie-hellman-group14-sha1
[12:34:07] host key: ssh-dss
[12:34:07] outgoing encryption: aes128-cbc
[12:34:07] incoming encryption: aes128-cbc
[12:34:07] outgoing mac: hmac-sha1
[12:34:07] incoming mac: hmac-sha1
[12:34:07] outgoing compression: none
[12:34:07] incoming compression: none

Connection closed by foreign host.

Any hints?
Thanks!

Program Ver. : Xshell 4


Re: SSH incompatibility with Amazon OpsWorks

Saturday, May 24, 2014 3:36 AM - Joe

I have tested it with the new XShell beta 5, same result.


Re: SSH incompatibility with Amazon OpsWorks

Saturday, May 24, 2014 4:21 AM - Joe

Log from auth.log with sshd running LogLevel DEBUG3 :


May 24 11:17:03 java-app1 sshd[32321]: debug3: fd 5 is not O_NONBLOCK
May 24 11:17:03 java-app1 sshd[32321]: debug1: Forked child 32362.
May 24 11:17:03 java-app1 sshd[32321]: debug3: send_rexec_state: entering fd = 8 config len 710
May 24 11:17:03 java-app1 sshd[32321]: debug3: ssh_msg_send: type 0
May 24 11:17:03 java-app1 sshd[32321]: debug3: send_rexec_state: done
May 24 11:17:03 java-app1 sshd[32362]: debug3: oom_adjust_restore
May 24 11:17:03 java-app1 sshd[32362]: Set /proc/self/oom_score_adj to 0
May 24 11:17:03 java-app1 sshd[32362]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
May 24 11:17:03 java-app1 sshd[32362]: debug1: inetd sockets after dupping: 3, 3
May 24 11:17:03 java-app1 sshd[32362]: Connection from XXX.XXX.XXX.XXX port 63763
May 24 11:17:03 java-app1 sshd[32362]: debug1: Client protocol version 2.0; client software version nsssh2_4.0.0031 NetSarang Computer, Inc.
May 24 11:17:03 java-app1 sshd[32362]: debug1: no match: nsssh2_4.0.0031 NetSarang Computer, Inc.
May 24 11:17:03 java-app1 sshd[32362]: debug1: Enabling compatibility mode for protocol 2.0
May 24 11:17:03 java-app1 sshd[32362]: debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
May 24 11:17:03 java-app1 sshd[32362]: debug2: fd 3 setting O_NONBLOCK
May 24 11:17:03 java-app1 sshd[32362]: debug2: Network child is on pid 32363
May 24 11:17:03 java-app1 sshd[32362]: debug3: preauth child monitor started
May 24 11:17:03 java-app1 sshd[32362]: debug3: privsep user:group 105:65534 [preauth]
May 24 11:17:03 java-app1 sshd[32362]: debug1: permanently_set_uid: 105/65534 [preauth]
May 24 11:17:03 java-app1 sshd[32362]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
May 24 11:17:03 java-app1 sshd[32362]: debug1: SSH2_MSG_KEXINIT sent [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug1: SSH2_MSG_KEXINIT received [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: reserved 0 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: ssh-dss,ssh-rsa [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,none [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,none [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: none [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: none [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: kex_parse_kexinit: reserved 0 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: mac_setup: found hmac-sha1 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug1: kex: client->server aes128-cbc hmac-sha1 none [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: mac_setup: found hmac-sha1 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug1: kex: server->client aes128-cbc hmac-sha1 none [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: dh_gen_key: priv key bits set: 159/320 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: bits set: 1055/2048 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug1: expecting SSH2_MSG_KEXDH_INIT [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug2: bits set: 1031/2048 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug3: mm_key_sign entering [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug3: mm_request_send entering: type 5 [preauth]
May 24 11:17:04 java-app1 sshd[32362]: debug3: mm_request_receive entering
May 24 11:17:04 java-app1 sshd[32362]: debug3: monitor_read: checking request 5
May 24 11:17:04 java-app1 sshd[32362]: debug3: mm_answer_sign
May 24 11:17:04 java-app1 sshd[32362]: error: bad sig size 32 32
May 24 11:17:04 java-app1 sshd[32362]: fatal: mm_answer_sign: key_sign failed
May 24 11:17:04 java-app1 sshd[32362]: debug1: do_cleanup
May 24 11:17:04 java-app1 sshd[32362]: debug3: PAM: sshpam_thread_cleanup entering



Re: SSH incompatibility with Amazon OpsWorks

Saturday, May 31, 2014 11:17 AM - Joe

Any answer on this, please?


Re: SSH incompatibility with Amazon OpsWorks

Monday, June 2, 2014 3:04 AM - Support

The SSH server log shows:

May 24 11:17:04 java-app1 sshd[32362]: error: bad sig size 32 32


This error occurs due to size limit of sig parts.

Will you try updating to the latest Xshell 5 beta and then select hmac-sha2-256 from the <MAC list> settings (session properties > Security > Mac (Message Authentication Protocol).


---
Technical Support


Re: SSH incompatibility with Amazon OpsWorks

Saturday, June 7, 2014 2:54 AM - Joe

Great, thanks, i could login with the latest xshell 5 beta.
I didn't have to change anything in the configuration.


Previous views: 246