netbsd-bugs: Re: lib/32183: can't connect anymore with -current ssh/sshd on amd64

Subject: Re: lib/32183: can't connect anymore with -current ssh/sshd on amd64
To: Christos Zoulas <christos@zoulas.com>
From: Nicolas Joly <njoly@pasteur.fr>
List: netbsd-bugs
Date: 11/28/2005 17:58:12
On Mon, Nov 28, 2005 at 11:29:49AM -0500, Christos Zoulas wrote:
> On Nov 28,  4:17pm, njoly@pasteur.fr (njoly@pasteur.fr) wrote:
> -- Subject: lib/32183: can't connect anymore with -current ssh/sshd on amd64
> 
> | >Number:         32183
> | >Category:       lib
> | >Synopsis:       can't connect anymore with -current ssh/sshd on amd64
> | >Confidential:   no
> | >Severity:       critical
> | >Priority:       high
> | >Responsible:    lib-bug-people
> | >State:          open
> | >Class:          sw-bug
> | >Submitter-Id:   net
> | >Arrival-Date:   Mon Nov 28 16:17:00 +0000 2005
> | >Originator:     Nicolas Joly
> | >Release:        NetBSD 3.99.12
> | >Organization:
> | Institut Pasteur, Paris.
> | >Environment:
> | System: NetBSD lanfeust.sis.pasteur.fr 3.99.12 NetBSD 3.99.12 (LANFEUST) #6: Mon Nov 28 15:35:05 CET 2005 njoly@lanfeust.sis.pasteur.fr:/local/src/NetBSD/obj/amd64/sys/arch/amd64/compile/LANFEUST amd64
> | Architecture: x86_64
> | Machine: amd64
> | >Description:
> | With recent openssl update, i can't connect from/to my NetBSD/amd64 box
> | anymore. All connections fails with the same message:
> | 
> | njoly@lanfeust [~]> ssh -v xxx.sis.pasteur.fr
> | OpenSSH_4.0 NetBSD_Secure_Shell-20050423, OpenSSL 0.9.8a 11 Oct 2005
> | debug1: Reading configuration data /home/njoly/.ssh/config
> | debug1: Reading configuration data /etc/ssh/ssh_config
> | debug1: Applying options for *
> | debug1: Connecting to xxx.sis.pasteur.fr [157.99.60.xxx] port 22.
> | debug1: Connection established.
> | debug1: identity file /home/njoly/.ssh/identity type -1
> | debug1: identity file /home/njoly/.ssh/id_rsa type 1
> | debug1: identity file /home/njoly/.ssh/id_dsa type -1
> | debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1
> | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.*
> | debug1: Enabling compatibility mode for protocol 2.0
> | debug1: Local version string SSH-2.0-OpenSSH_4.0 NetBSD_Secure_Shell-20050423
> | debug1: SSH2_MSG_KEXINIT sent
> | debug1: SSH2_MSG_KEXINIT received
> | debug1: kex: server->client aes128-cbc hmac-md5 none
> | debug1: kex: client->server aes128-cbc hmac-md5 none
> | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> | debug1: Host 'xxx.sis.pasteur.fr' is known and matches the RSA host key.
> | debug1: Found key in /home/njoly/.ssh/known_hosts:15
> | RSA_public_decrypt failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> | debug1: ssh_rsa_verify: signature incorrect
> | key_verify failed for server_host_key
> | 
> | I checked that all `openssl speed' tests pass correctly ... It worked
> | perfectly before recent openssl update.
> | 
> | >How-To-Repeat:
> | Try to connect from or to a -current NetBSD/amd64 box using ssh.
> | >Fix:
> | Don't know.
> 
> Does make regress in /usr/src/lib/libcrypto pass?

Don't know. I just removed all obj, and started a fresh build.

Looks like my previous build (MKUPDATE=YES) has made some mistakes by
linking with 2 libcrypto versions at the same time ...

njoly@lanfeust [NetBSD/src]> ldd /usr/bin/ssh
/usr/bin/ssh:
        -lgssapi.5 => /usr/lib/libgssapi.so.5
        -lcrypt.0 => /usr/lib/libcrypt.so.0
        -lcrypto.2 => /usr/lib/libcrypto.so.2
        -lasn1.6 => /usr/lib/libasn1.so.6
        -lcom_err.4 => /usr/lib/libcom_err.so.4
        -lroken.12 => /usr/lib/libroken.so.12
        -lkrb5.20 => /usr/lib/libkrb5.so.20
        -lkafs.6 => /usr/lib/libkafs.so.6
        -ldes.7 => /usr/lib/libdes.so.7
        -lkrb.6 => /usr/lib/libkrb.so.6
        -lz.0 => /usr/lib/libz.so.0
        -lssh.2 => /usr/lib/libssh.so.2
        -lcrypto.3 => /usr/lib/libcrypto.so.3
        -lc.12 => /usr/lib/libc.so.12

njoly@lanfeust [NetBSD/src]> ll /lib/libcrypto* 
lrwxr-xr-x  1 root  wheel       16 Nov 28 15:55 /lib/libcrypto.so -> libcrypto.so.3.0
lrwxr-xr-x  1 root  wheel       16 Nov 23 16:18 /lib/libcrypto.so.2 -> libcrypto.so.2.2
-r--r--r--  1 root  wheel  1489335 Nov 21 11:17 /lib/libcrypto.so.2.2
lrwxr-xr-x  1 root  wheel       16 Nov 28 15:55 /lib/libcrypto.so.3 -> libcrypto.so.3.0
-r--r--r--  1 root  wheel  1768592 Nov 28 15:53 /lib/libcrypto.so.3.0

Will wait until it finish and report.

-- 
Nicolas Joly

Biological Software and Databanks.
Institut Pasteur, Paris.