RE: OpenSSH_3.5p1 server, PC clients cannot connect

From: Greg Paik (gpaik@smithandhawken.com)
Date: 02/20/03

  • Next message: John Mendenhall: "Re: OpenSSH_3.5p1 server, PC clients cannot connect" 
    From: Greg Paik <gpaik@smithandhawken.com>
To: "'John Mendenhall'" <john@surfutopia.net>, secureshell@securityfocus.com
Date: Thu, 20 Feb 2003 10:56:34 -0800

    Did you upgrade a from a previous version of OpenSSH on the server in
    question? If you did, you probably just changed the host key. That would
    explain the "Failed SSH Key Exchange" error. Just delete the entry for the
    server in the known_hosts file for each of the clients.

    Also, have you checked the logs on the server side? Or run sshd in debug
    mode? The first may not have any useful information without running sshd in
    debug, but you never know...

    Otherwise, are you able to sftp to the server from a UNIX/Linux host and run
    sftp with the "-vvv" options for verbose output?

    Greg

    P.S.- What the heck are you doing running SunOS 4.1.4?!?

    -----Original Message-----
    From: John Mendenhall [mailto:john@surfutopia.net]
    Sent: Wednesday, February 19, 2003 4:20 PM
    To: secureshell@securityfocus.com
    Subject: OpenSSH_3.5p1 server, PC clients cannot connect

    I have setup an OpenSSH_3.5p1 ssh/sftp server on my
    SunOS 4.1.4 box. I can ssh to it just fine. The problem
    is SFTP from certain clients.

    I can SFTP to it using my OpenSSH_3.5p1 sftp client. I
    can SFTP to it from MacSFTP from MacSSH.org, version 1.0.5.
    However, I have several clients that cannot connect. I have
    had them try CuteFTP Pro v2, v3, WS_FTP Pro v7.62, PuTTy
    pSFTP. None are able to connect.

    WS_FTP Pro gives the error:

      Failed SSH Key Exchange

    PuTTy gives the error message:

      Fatal: unable to initialise SFTP: could not connect

    CuteFTP just seems to hang there.

    I have turned on DEBUG logging and they each appear to
    stop at different places.

    I did some searching and increased the Login time from 2 minutes
    to 5 minutes. No change. I turned off PrivSep. No apparent
    change. Compression is still on. I run the daemon with '-u0'
    to increase DNS lookup speed. I have included my config
    file below my signature.

    Does anyone have any idea what I could be doing wrong? I would
    really like this to work for my PC/Win clients. Please let me
    know if you need any additional information to diagnose these
    clients.

    Thank you very much in advance.

    JohnM 

    -- 
John Mendenhall
john@surfutopia.net
surf utopia
internet services
-----  sshd_config  -----
#       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG
# Authentication:
#LoginGraceTime 120
LoginGraceTime 300
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#RSAAuthentication no
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
# 20030219 jem turned off Privilege Separation for Putty pSFTP to work
#UsePrivilegeSeparation yes
UsePrivilegeSeparation no
PermitUserEnvironment no
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem       sftp    /usr/local/libexec/sftp-server

    Relevant Pages