Created attachment 3317 [details] Config.log When connecting via the latest SSH from git, compiled on a Mac against libressl, connecting to an IP address with ssh commandline throws an error: ./ssh 192.168.61.230 ssh_dispatch_run_fatal: Connection to 192.168.61.230 port 22: unexpected internal error But the FQDN works fine: 509 bash$ ./ssh ntp Linux ntp 4.19.50+ #1234 Thu Jun 13 10:47:38 BST 2019 armv6l .... sftp does work however -- 510 bash$ ./sftp 192.168.61.230 ********************************************************************* This resource, including all related equipment, networks and network devices, are provided for authorized use. Computer systems may be monitored for all lawful purposes, including to ensure authorized use, for management of the system, to facilitate protection against unauthorized access and to verify security procedures and operational procedures. The monitoring on this system may include audits by authorized personnel to test or verify the validity, security and survivability of this system. During monitoring information may be examined, recorded, copied and used for authorized purposes. All information placed on or sent to this system may be subject to such monitoring procedures. Use of this computer system, authorized or unauthorized, constitutes consent to this policy and the policies and procedures set forth by System Owner. Evidence of unauthorized use collected during monitoring may be used for criminal prosecution by System staff, legal counsel and law enforcement agencies. ********************************************************************* Connected to 192.168.61.230. sftp> This bug has existed for several weeks. 511 bash$ ./ssh -V OpenSSH_8.0p1, LibreSSL 3.0.0
I have not been able to reproduce on: Darwin osx-highsierra 17.7.0 Darwin Kernel Version 17.7.0: Sun Jun 2 20:31:42 PDT 2019; root:xnu-4570.71.46~1/RELEASE_X86_64 x86_64 What version of OS X are you using? What configure flags did you give when you built libressl and openssh? Could you please attach to this bug the debug output from ssh -vvv for both the working and non-working examples?
From you config.log: > Darwin Kernel Version 18.7.0: presumably that's Mojave? > ./configure --with-ssl-dir=/usr/local --with-pam --with-pam doesn't change the behaviour of the client, so other than that it should be a default build. It's possible the problem you're seeing is specific to a particular crypto method, which should show up in the comparison of the two debug logs.
(In reply to Darren Tucker from comment #1) > I have not been able to reproduce on: > Darwin osx-highsierra 17.7.0 Darwin Kernel Version 17.7.0: Sun Jun > 2 20:31:42 PDT 2019; root:xnu-4570.71.46~1/RELEASE_X86_64 x86_64 > > What version of OS X are you using? What configure flags did you > give when you built libressl and openssh? Could you please attach > to this bug the debug output from ssh -vvv for both the working and > non-working examples? Good evening & Hello, how are you tonight? macOS Mojave 10.14.6 -- latest and greatest. Configure line confirmed. Attached -vvv log as requested. I can try it without the pam to see if that is the cause.
Created attachment 3320 [details] ssh -vvv log
(In reply to Darren Tucker from comment #2) > It's possible the problem you're seeing is specific to a particular > crypto method, which should show up in the comparison of the two > debug logs. Are you saying the crypto method changes between: ssh foo.bar.com and ssh 1.1.1.1 invocation methods? The first one works, the second one doesn't. (I haven't coded in C for 20+ years, I am not an expert!)
(In reply to Warren Lavallee from comment #3) > (In reply to Darren Tucker from comment #1) > > I have not been able to reproduce on: > > Darwin osx-highsierra 17.7.0 Darwin Kernel Version 17.7.0: Sun Jun > > 2 20:31:42 PDT 2019; root:xnu-4570.71.46~1/RELEASE_X86_64 x86_64 > > > > What version of OS X are you using? What configure flags did you > > give when you built libressl and openssh? Could you please attach > > to this bug the debug output from ssh -vvv for both the working and > > non-working examples? > > Good evening & Hello, how are you tonight? > > macOS Mojave 10.14.6 -- latest and greatest. > > Configure line confirmed. > > Attached -vvv log as requested. > I can try it without the pam to see if that is the cause. I recompiled without the "with-pam" and it has the same behavior.
Created attachment 3321 [details] This may help, its my build script Don't know if this is all still necessary, but when I started building from git, the source wouldn't build, and I had to manually add some defines to config.sh before the build. I think just: #define HAVE_GETLINE 1 #define HAVE_BZERO 1 Not sure why configure didn't find them. back to bed now !
If I download and build the latest release version -- "openssh-8.0p1" from your website, using the same build script, it works. So that should remove everything on my system as a possible issue.
(In reply to Warren Lavallee from comment #5) > Are you saying the crypto method changes between: > "ssh foo.bar.com" and "ssh 1.1.1.1" > invocation methods? It's possible, eg if you have a Host entry for foo.bar.com in ~/ssh/config that sets things like Ciphers, MACs or HostKeyAlgorithms, but do not have the equivalent for 1.1.1.1.
(In reply to Warren Lavallee from comment #4) > Created attachment 3320 [details] > ssh -vvv log That's only the non-working one. Please include the working one too, so that we can see what's different.
Created attachment 3322 [details] ssh -vvv working
Don't look at that -- it's not the latest build -- it was the release version from your website. I don't know what I did, but now neither method works -- 00:45 warren@WJL-MBP-15:~/src/openssh-portable 536 bash$ ./ssh goliath.openfinance.com ssh_dispatch_run_fatal: Connection to 192.168.61.230 port 22: unexpected internal error 00:45 warren@WJL-MBP-15:~/src/openssh-portable 537 bash$ ./ssh 192.168.61.230 ssh_dispatch_run_fatal: Connection to 192.168.61.230 port 22: unexpected internal error 00:46 warren@WJL-MBP-15:~/src/openssh-portable 538 bash$ (In reply to Warren Lavallee from comment #11) > Created attachment 3322 [details] > ssh -vvv working
diffie-hellman-group-exchange-sha256 (which both sets of logs show) involve selecting a Diffie-Hellman group (ie a set of numbers) from the moduli file on the server. It's possible that the behaviour varies depending on the specific one selected. I suggest: - repeating each test a number of times to see if the behaviour changes - force use of the static group ("ssh -o kexalgorithms=diffie-hellman-group14-sha1 ..."). - try replacing the moduli file on the server with the one from the current distribution (keep the old one, in case it's relevant :-)
Created attachment 3323 [details] more kex debugging This puts a bunch of more-proximal error messages in the key exchange code. You'll need to apply it to git HEAD and recompile, but it may give a better indication of where this is blowing up.
Created attachment 3324 [details] ssh -vvv logs -- patched source code I applied your patch, recompiled, and ran ssh -vvv 9 times against the same host. The logfiles are in the ZIP file.
(In reply to Darren Tucker from comment #13) > diffie-hellman-group-exchange-sha256 (which both sets of logs show) > involve selecting a Diffie-Hellman group (ie a set of numbers) from > the moduli file on the server. It's possible that the behaviour > varies depending on the specific one selected. > > I suggest: > - repeating each test a number of times to see if the behaviour > changes > - force use of the static group ("ssh -o > kexalgorithms=diffie-hellman-group14-sha1 ..."). > - try replacing the moduli file on the server with the one from the > current distribution (keep the old one, in case it's relevant :-) ssh -o kexalgorithms=diffie-hellman-group14-sha1 works Perhaps its a compatibility issue with LibreSSL 3.0.0 The production ssh release does work with LibreSSL 3.0.0 however. I compile LibreSSL 3.0.0 separately and install into /usr/local -- that is the reason for the with-SSL I configure. macOS seems to come with LibreSSL 2.7.3 out of the box.
Here's the error: choose_mac: unsupported MAC hmac-sha2-512 Could you please attach the output of configure and config.log (separate attachments please)
Created attachment 3325 [details] Output from configure script
Created attachment 3326 [details] config.log
The problem is that you're not regenerating configure/config.h when you are updating the source and rebuilding. Your build script needs a call to autoreconf between the git pull and configure invocations.
(embarrassed) that’s it! I did an autoreconf and it works now! I realize you work for free. Sorry for waiting so much of your valuable time with a non-issue. Check your email.
closing resolved bugs as of 8.6p1 release