[TCLUG] Total system breakage

Wed Sep 24 08:14:03 CDT 2003

There was a big SSH vulnerability that Debian patched for stable and I
believe that they patched for testing and unstable.

I would suggest that you read about the vulnerability to see what features
they might have turned off.

Jeff Rasmussen

-----Original Message-----
From: Callum Lerwick [mailto:seg at haxxed.com]
Sent: Tuesday, September 23, 2003 6:08 PM
To: tclug-list at mn-linux.org
Subject: [TCLUG] Total system breakage

Okay, last night two of my boxes, both running debian testing went down
in an interesting manner. They've stopped authenticating remotely. I can
log in on console, but I can't ssh nor FTP in. (Running proftp) Email
seems to work though, one's running wu-imap and the other courier-imap.

The only thing significant I've done is doing an apt-get update
yesterday on one, and a few days ago on another. Trying to update it now
doesn't find anything new.

Am I the only one getting this? It would seem to point at PAM, I'm not
getting anything in the logs, nor is sshd -ddd telling me anything's
wrong. It just hangs. Probably a package broke in testing, but I'm
concerned I got nailed by some worm. ;P

Its a pain in the ass to work on because I have to stand around in the
living room for one box, and the other is 100 miles away. :P I'll have
to try reverting packages to woody versions by hand or something.

This is what I get with -vvv, though after a while it seems to start
just refusing connections, though sshd hasn't crashed or complained
about anything.

$ ssh -vvv marvin
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to marvin [192.168.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/seg/.ssh/identity type -1
debug1: identity file /home/seg/.ssh/id_rsa type -1
debug1: identity file /home/seg/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.6.1p2 Debian 1:3.6.1p2-3
debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1618/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/seg/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/seg/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'marvin' is known and matches the RSA host key.
debug1: Found key in /home/seg/.ssh/known_hosts:1
debug1: bits set: 1629/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT

It just hangs forever here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20030924/352b5508/attachment.html