Updated Openssh from 6.6.1p1 to 7.4p1 and connection problems

[loki28]

After the update, pc's with Esker Tun 2016 can't connect but other using putty or Anzio can.

From sshd -T the ciphers are:

ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gc
m@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-c
bc,cast128-cbc,3des-cbc

and on TUN the ciphers are:

aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

I get the login popup and enter credentials but just get a black screen.

Not sure what else to check.

Thanks,
Scott

[Errosion]

If you are getting to a login prompt then it's not an issue with the ciphers being supported. You won't get that far if there isn't a common cipher.

Sounds to me like there might be something quirky in the profiling of what TUN is doing compared to the other tools.

Perhaps there is some level of debug there to see where it is hanging?
Any errors on the server side that might indicate an issue?

[loki28]

This is what I see in the secure log after trying to connect:

Nov 20 17:59:50 hostess sshd[15355]: Accepted password for root from 192.168.5.1
20 port 61950 ssh2
Nov 20 17:59:51 hostess sshd[15355]: pam_unix(sshd:session): session opened for
user root by (uid=0)
Nov 20 17:59:51 hostess sshd[15355]: error: Received disconnect from 192.168.5.1
20 port 61950:2: Protocol error waiting for channel open confirmation.
Nov 20 17:59:51 hostess sshd[15355]: Disconnected from 192.168.5.120 port 61950
Nov 20 17:59:51 hostess sshd[15355]: pam_unix(sshd:session): session closed for
user root

[Errosion]

Nov 20 17:59:51 hostess sshd[15355]: error: Received disconnect from 192.168.5.1
20 port 61950:2: Protocol error waiting for channel open confirmation.

Well. Now you need to figure out what Esker is doing that the updated ssh doesn't like.

Or downgrade back to the older version of ssh.
Or upgrade to a newer version of Esker.

But that error says to me the server ssh instance is expecting a channel open confirmation and Esker is either not sending it, sending it in a different manner, or sending something else before sending the confirmation. It's possible the older instance of ssh might not have been as critical of that portion of the ssh handshake compared to the upgraded version of ssh.

[loki28]

I did try to downgrade with the below commands but didn't work.

[root@hostess log]# yum downgrade openssh
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.mirror.ca.planethoster.net
* extras: centos.mirror.ca.planethoster.net
* updates: centos.mirror.ca.planethoster.net
Nothing to do

and

[root@hostess log]# yum history
Loaded plugins: fastestmirror, langpacks
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
19 | root <root> | 2019-11-20 12:45 | Update | 5

[root@hostess log]# yum history undo 19
Loaded plugins: fastestmirror, langpacks
Undoing transaction 19, from Wed Nov 20 12:45:04 2019
Updated openssh-6.6.1p1-25.el7_2.x86_64 @anaconda
Update 7.4p1-21.el7.x86_64 @base
Updated openssh-clients-6.6.1p1-25.el7_2.x86_64 @anaconda
Update 7.4p1-21.el7.x86_64 @base
Updated openssh-server-6.6.1p1-25.el7_2.x86_64 @anaconda
Update 7.4p1-21.el7.x86_64 @base
Updated openssl-1:1.0.1e-51.el7_2.7.x86_64 @anaconda
Update 1:1.0.2k-19.el7.x86_64 @base
Updated openssl-libs-1:1.0.1e-51.el7_2.7.x86_64 @anaconda
Update 1:1.0.2k-19.el7.x86_64 @base
Loading mirror speeds from cached hostfile
* base: centos.mirror.ca.planethoster.net
* extras: centos.mirror.ca.planethoster.net
* updates: centos.mirror.ca.planethoster.net
Failed to downgrade: openssh-6.6.1p1-25.el7_2.x86_64
Failed to downgrade: openssh-clients-6.6.1p1-25.el7_2.x86_64
Failed to downgrade: openssh-server-6.6.1p1-25.el7_2.x86_64
Failed to downgrade: 1:openssl-1.0.1e-51.el7_2.7.x86_64
Failed to downgrade: 1:openssl-libs-1.0.1e-51.el7_2.7.x86_64
history undo

[TrevorH]

I'd concentrate on fixing the thing that talks to it. Openssh 7.4 has been part of CentOS since 7.4 so you are way backlevel and missing loads of security fixes. Among those is the update to openssh 7.4 and that in turn has been updated several times and you will be backing out at least 2 CVE fixes.

- Fix for CVE-2018-15473 (#1619079)
- Fix for CVE-2017-15906 (#1517226)

There is a list of changes made in openssh 7.4 in the RHEL Release Notes for 7.4 when they introduced it. It details several changes made to remove insecure algorithms and protocols, among that all of protocol 1. Check there. Some of those things were just changed from enabled-by-default to disabled and can still be overridden.

[loki28]

I contacted Esker and they have a patch that I had to install.

Thanks for your help.
Scott