I have a strange unsolved unidirectional problem using ssh from Solaris to Fedora6:
I have 2 Solaris boxes (10u3) acting as separate NAT firewalls + SSH works flawlessly between them (over the Internet) I have a couple FC6 (yum'ed up-to-date) behind the Solaris boxes + SSH works flawlessly between them; also with ++ interactive shell: ssh -x fc6box ++ Xforwarding ssh -X -f fc6box xterm ++ as pipe: scp; rsync; tar cf - .|ssh -x fc6box tar xvpf -; etc. + SSH works flawlessly from FC6 to Solaris; all sorts as above + Interactive works flawlessly from Solaris to FC6: solbox# ssh -x fc6box - Xforwarding back to Solaris hangs (always!): solbox# ssh -X fc6box xterm - pipe is unpredictable when set up from Solaris to FC6: solbox# rsync -aRHDv /whatever fc6box:/ -- if less than a handful files are out of sync it usually works; if more then it hangs -- same with scp; tar cf - .|ssh -x fc6box tar xvpf -; etc. I usually solve this by: solbox# ssh -x fc6box fc6box# ssh solbox tar cPf - ...|tar xvpPf - #(or scp or rsync etc.) -but it is annoying. Especially I need Xforwarding and "rsync -aRHDv -e 'ssh -x solbox ssh' /... internalfc6box:/" Worth mentioning: * All boxes have identical /etc/ssh/ssh*_config (rsync'ed; sol==fc6) * The Solaris boxes have strict ipf-filtering on the Internet side and liberal filtering on the inside. I don't think there is a firewall problem, as interactive ssh -x works flawlessly in all combinations, so 22/tcp obviously does work and pass statefully. Nor do I think there is a localhost/loopback port-forwarding problem as fc6->any and sol->sol works flawlessly. * The FC6-boxes have empty iptables-ruleset (iptables -L). They have tcpwraper: ==> /etc/hosts.allow <== ALL: 127.0.0.1 ... ==> /etc/hosts.deny <== ALL: ALL * The problem started in December 2006 after a patch-update (both platforms before I discovered the problem). First I thought it might be a bug that would be fixed by next update, but it wasn't. (Everything was fine till that). * I used default ssh & sshd on both. To try to fix the problem I compiled and swithed to latest & gratest openssl (openssl-0.9.8e) and openssh (openssh-4.6p1) (client&server). It did not solve the problem. * I've tried ssh -vvX: solbox# ssh -vvX fc6box OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to fc6box [RFC1918] port 22. debug2: fd 4 setting O_NONBLOCK debug1: fd 4 clearing O_NONBLOCK debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6 debug1: match: OpenSSH_4.6 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.6 debug2: fd 4 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: blowfish-cbc,aes128-ctr,aes128-cbc,arcfour,3des-cbc debug2: kex_parse_kexinit: blowfish-cbc,aes128-ctr,aes128-cbc,arcfour,3des-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client blowfish-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server blowfish-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 123/256 debug2: bits set: 531/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'fc6box' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:23 debug2: bits set: 497/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /.ssh/identity (0) debug2: key: /.ssh/id_rsa (0) debug2: key: /.ssh/id_dsa (80af8b8) debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/identity debug1: Trying private key: /.ssh/id_rsa debug1: Offering public key: /.ssh/id_dsa debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-dss blen 817 debug2: input_userauth_pk_ok: fp 6f:b7:c5:e0:3a:44:9b:5c:a9:6c:dd:12:cb:01:ad:b7 debug1: read PEM private key done: type DSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: x11_get_proto: /usr/openwin/bin/xauth list unix:10.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug2: channel 0: request shell confirm 0 debug2: fd 4 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 Last login: Wed May 23 12:00:32 2007 from solbox debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384 debug1: client_request_x11: request from 127.0.0.1 45601 debug2: fd 8 setting TCP_NODELAY debug2: fd 8 setting O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 ################################## ###### HANGS 10MINUTES HERE ###### ################################## debug1: channel 0: free: client-session, nchannels 2 debug1: channel 1: free: x11, nchannels 1 Read from remote host fc6box: Connection timed out Connection to fc6box closed. debug1: Transferred: stdin 0, stdout 0, stderr 110 bytes in 541.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.2 debug1: Exit status -1 Exit 255 solbox# * I'm not sure whether this is a server-side (FC6) or client-side (Sol10u3) problem. - Nor 100% sure whether this is (or isn't) a problem in openssh, openssl, libX*, tcpwraper, iptables, ip_filter, tcp-stack, kernel/dev, OS/lib or what. - Nothing remarkable is logged (AFAIK). -- ANY CLUE?? * /etc/ssh is symlinked to ../local/etc/ssh (i.e. /local/etc/ssh) * I've tried different Ciphers (same result) * Here is my config: (no big secrets here:) anybox# head -100 /etc/ssh/ssh*_config ==> /etc/ssh/ssh_config <== Protocol 2,1 Ciphers blowfish-cbc,aes128-ctr,aes128-cbc,arcfour,3des-cbc ForwardAgent no ForwardX11 no ForwardX11Trusted yes KeepAlive yes ServerAliveCountMax 3 ServerAliveInterval 300 TCPKeepAlive yes ConnectTimeout 30 ==> /etc/ssh/sshd_config <== Port 22 Protocol 2 UsePrivilegeSeparation no ListenAddress 0.0.0.0 HostKey /local/etc/ssh/ssh_host_key HostKey /local/etc/ssh/ssh_host_rsa_key HostKey /local/etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes AllowGroups ssh IgnoreRhosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes PrintMotd yes KeepAlive yes TCPKeepAlive yes SyslogFacility AUTH LogLevel INFO PubkeyAuthentication yes RhostsRSAAuthentication no RSAAuthentication no PasswordAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no Subsystem sftp /local/libexec/sftp-server -- Regards Pål Baltzersen
begin:vcard fn;quoted-printable:P=C3=A5l Baltzersen n;quoted-printable:Baltzersen;P=C3=A5l org:Basefarm AS adr:;;Sandakerveien 138;Oslo;Oslo;NO-0484;Norway email;internet:[EMAIL PROTECTED] title:Senior systemkonsulent. Cand. Scient. tel;work:+47 93081174 tel;fax:+47 40004080 tel;home:+47 93081174 tel;cell:+47 93081174 note;quoted-printable:Alle supporthenvendelser skal rettes til:=0D=0A= [EMAIL PROTECTED] (Superbrukere i Oslo kommune)=0D=0A= [EMAIL PROTECTED] (alle andre)=0D=0A= x-mozilla-html:FALSE url:http://www.basefarm.no version:2.1 end:vcard
