netbsd-bugs: Re: lib/32183: can't connect anymore with -current ssh/sshd on amd64

Subject: Re: lib/32183: can't connect anymore with -current ssh/sshd on amd64
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Nicolas Joly <njoly@pasteur.fr>
List: netbsd-bugs
Date: 11/28/2005 16:59:02
The following reply was made to PR lib/32183; it has been noted by GNATS.

From: Nicolas Joly <njoly@pasteur.fr>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, lib-bug-people@NetBSD.org,
	gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: lib/32183: can't connect anymore with -current ssh/sshd on amd64
Date: Mon, 28 Nov 2005 17:58:12 +0100

 On Mon, Nov 28, 2005 at 11:29:49AM -0500, Christos Zoulas wrote:
 > On Nov 28,  4:17pm, njoly@pasteur.fr (njoly@pasteur.fr) wrote:
 > -- Subject: lib/32183: can't connect anymore with -current ssh/sshd on amd64
 > 
 > | >Number:         32183
 > | >Category:       lib
 > | >Synopsis:       can't connect anymore with -current ssh/sshd on amd64
 > | >Confidential:   no
 > | >Severity:       critical
 > | >Priority:       high
 > | >Responsible:    lib-bug-people
 > | >State:          open
 > | >Class:          sw-bug
 > | >Submitter-Id:   net
 > | >Arrival-Date:   Mon Nov 28 16:17:00 +0000 2005
 > | >Originator:     Nicolas Joly
 > | >Release:        NetBSD 3.99.12
 > | >Organization:
 > | Institut Pasteur, Paris.
 > | >Environment:
 > | System: NetBSD lanfeust.sis.pasteur.fr 3.99.12 NetBSD 3.99.12 (LANFEUST) #6: Mon Nov 28 15:35:05 CET 2005 njoly@lanfeust.sis.pasteur.fr:/local/src/NetBSD/obj/amd64/sys/arch/amd64/compile/LANFEUST amd64
 > | Architecture: x86_64
 > | Machine: amd64
 > | >Description:
 > | With recent openssl update, i can't connect from/to my NetBSD/amd64 box
 > | anymore. All connections fails with the same message:
 > | 
 > | njoly@lanfeust [~]> ssh -v xxx.sis.pasteur.fr
 > | OpenSSH_4.0 NetBSD_Secure_Shell-20050423, OpenSSL 0.9.8a 11 Oct 2005
 > | debug1: Reading configuration data /home/njoly/.ssh/config
 > | debug1: Reading configuration data /etc/ssh/ssh_config
 > | debug1: Applying options for *
 > | debug1: Connecting to xxx.sis.pasteur.fr [157.99.60.xxx] port 22.
 > | debug1: Connection established.
 > | debug1: identity file /home/njoly/.ssh/identity type -1
 > | debug1: identity file /home/njoly/.ssh/id_rsa type 1
 > | debug1: identity file /home/njoly/.ssh/id_dsa type -1
 > | debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1
 > | debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.*
 > | debug1: Enabling compatibility mode for protocol 2.0
 > | debug1: Local version string SSH-2.0-OpenSSH_4.0 NetBSD_Secure_Shell-20050423
 > | debug1: SSH2_MSG_KEXINIT sent
 > | debug1: SSH2_MSG_KEXINIT received
 > | debug1: kex: server->client aes128-cbc hmac-md5 none
 > | debug1: kex: client->server aes128-cbc hmac-md5 none
 > | debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
 > | debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 > | debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
 > | debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
 > | debug1: Host 'xxx.sis.pasteur.fr' is known and matches the RSA host key.
 > | debug1: Found key in /home/njoly/.ssh/known_hosts:15
 > | RSA_public_decrypt failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
 > | debug1: ssh_rsa_verify: signature incorrect
 > | key_verify failed for server_host_key
 > | 
 > | I checked that all `openssl speed' tests pass correctly ... It worked
 > | perfectly before recent openssl update.
 > | 
 > | >How-To-Repeat:
 > | Try to connect from or to a -current NetBSD/amd64 box using ssh.
 > | >Fix:
 > | Don't know.
 > 
 > Does make regress in /usr/src/lib/libcrypto pass?
 
 Don't know. I just removed all obj, and started a fresh build.
 
 Looks like my previous build (MKUPDATE=YES) has made some mistakes by
 linking with 2 libcrypto versions at the same time ...
 
 njoly@lanfeust [NetBSD/src]> ldd /usr/bin/ssh
 /usr/bin/ssh:
         -lgssapi.5 => /usr/lib/libgssapi.so.5
         -lcrypt.0 => /usr/lib/libcrypt.so.0
         -lcrypto.2 => /usr/lib/libcrypto.so.2
         -lasn1.6 => /usr/lib/libasn1.so.6
         -lcom_err.4 => /usr/lib/libcom_err.so.4
         -lroken.12 => /usr/lib/libroken.so.12
         -lkrb5.20 => /usr/lib/libkrb5.so.20
         -lkafs.6 => /usr/lib/libkafs.so.6
         -ldes.7 => /usr/lib/libdes.so.7
         -lkrb.6 => /usr/lib/libkrb.so.6
         -lz.0 => /usr/lib/libz.so.0
         -lssh.2 => /usr/lib/libssh.so.2
         -lcrypto.3 => /usr/lib/libcrypto.so.3
         -lc.12 => /usr/lib/libc.so.12
 
 njoly@lanfeust [NetBSD/src]> ll /lib/libcrypto* 
 lrwxr-xr-x  1 root  wheel       16 Nov 28 15:55 /lib/libcrypto.so -> libcrypto.so.3.0
 lrwxr-xr-x  1 root  wheel       16 Nov 23 16:18 /lib/libcrypto.so.2 -> libcrypto.so.2.2
 -r--r--r--  1 root  wheel  1489335 Nov 21 11:17 /lib/libcrypto.so.2.2
 lrwxr-xr-x  1 root  wheel       16 Nov 28 15:55 /lib/libcrypto.so.3 -> libcrypto.so.3.0
 -r--r--r--  1 root  wheel  1768592 Nov 28 15:53 /lib/libcrypto.so.3.0
 
 Will wait until it finish and report.
 
 -- 
 Nicolas Joly
 
 Biological Software and Databanks.
 Institut Pasteur, Paris.