Recently, I upgraded a few Solaris 7 (sparc) machines from OpenSSH 3.early to 3.6p1. I don’t know exactly what interaction broke, but all of a sudden (very old, non-SECSH-compliant) F-Secure (or “commercial SSH2″) clients stopped connecting. Of course, the PuTTY client that I’ve told people to use still worked fine… but there were a few people who are using their own (pirated, incidentally) F-Secure and couldn’t get in. So I pointed out that PuTTY was what the help desk would support, but it looked like it was time for them to upgrade their F-Secure client. No response.
Fine, sure, whatever. Then there’s the (probably second most important to the company) developer with a Red Hat 6.1 (no, really, I’m not kidding) Linux box on his desk next to his Windows PC. He mostly uses the Linux box for development, because it’s just too painful to be in Windows locally and doing all your work on Unix[-like] servers[1].
Anyway, at some point he dumped an F-Secure SSH2 binary on that machine, and now he can’t connect to the couple of servers I upgraded (though he can bounce through those running OpenSSH 3.5p1 or whatever just fine, because I haven’t upgraded those to the latest/greatest just to do it; I just did a security problem sweep and pulled those up to the latest). I point out that we could go about a lot of debugging and figure out exactly which Cipher offer it was that was making his client choke… or he could just upgrade his ssh client. He wasn’t too hot on either, said he’d just cope with ssh’ing through to get what he needed to do done.
Which, of course, is code for “I’m going to whine at my boss that the Systems Group is getting in my way; I’m so put upon.” Now, I actually like this guy, and he likes me… but he’s one of those “any excuse for it to be somebody else’s fault” kind of people. So I tell him I’ll just upgrade SSH for him, and that he should just make me an account and change the root password temporarily. So he does. And then I try to login… no sshd listening. Or installed. Because, wonderfully enough, the RPM he used however long ago that was that it was installed was clients only.
::sigh::
So I head on over and do it locally while he works in PuTTY on his Windows box. Need to upgrade Zlib (you don’t want to know how scary-old that was…) and OpenSSL while I’m there, especially since there was no OpenSSL there at all and OpenSSH will simply refuse to use the Zlib he had during configuration these days. Get it all set up, and he’s good.
Then today, we have this email exchange (names changed to protect me from the guilty’s vanity googling; I’m also eliding his quotes of my messages… they’re all top-replies, fwiw):
From: “Larry User” <LUSER@employer.dom&gr;
Subject: Hate to bug you again…
Date: Wed, 23 Jul 2003 15:04:16 -0400
To: “Grumpy Sysadmin” <gsysadmin@employer.dom&gr;
But, can you think of any reason that the same key I have working on golf, chop/mince/shred, rend, slice, and dice wouldn’t work on rip?
From: Grumpy Sysadmin <gsysadmin@employer.dom>
Subject: Re: Hate to bug you again…
Date: Wed, 23 Jul 2003 15:28:02 -0400
To: Larry User <LUSER@employer.dom>
On Wed, Jul 23, 2003 at 03:04:16PM -0400, Larry User wrote:
> But, can you think of any reason that the same key I have working on golf, chop/mince/shred, rend, slice, and dice wouldn’t work on rip?
rip:~luser# ll -d ~luser
drwx-wx— 4 luser users 4096 Jul 23 15:02 /home/luser/
^
From: “Larry User” <LUSER@employer.dom>
Subject: RE: Hate to bug you again…
Date: Wed, 23 Jul 2003 15:31:26 -0400
To: “Grumpy Sysadmin” <gsysadmin@employer.dom>
Nope. Fixed it, still doesn’t work. Even confirmed the home directory and .ssh/ permissions match those on slice.
If it helps, I also had the same problem on ivyweb09.
(And please tell me to go away if I’m being annoying…)
From: Grumpy Sysadmin <gsysadmin@employer.dom>
Subject: Re: Hate to bug you again…
Date: Wed, 23 Jul 2003 15:35:16 -0400
To: Larry User <LUSER@employer.dom>
On Wed, Jul 23, 2003 at 03:31:26PM -0400, Larry User wrote:
> Nope. Fixed it, still doesn’t work. Even confirmed the home directory and .ssh/ permissions match those on slice.
Do:
ssh -vvv -p 2022 rip
please.
> (And please tell me to go away if I’m being annoying…)
No problem as long as you can deal with quick responses.
[I'd just done an sshd -ddd -p 2022 on that host; watched as he connected, sshd accepted public-key authentication, and then he logged out.]
From: “Larry User” <LUSER@employer.dom>
Subject: RE: Hate to bug you again…
Date: Wed, 23 Jul 2003 15:36:18 -0400
To: “Grumpy Sysadmin” <gsysadmin@employer.dom>
Actually, it works on rip now. Still doesn’t on ivyweb09.
From: Grumpy Sysadmin <gsysadmin@employer.dom>
Subject: Re: Hate to bug you again…
Date: Wed, 23 Jul 2003 15:40:09 -0400
To: Larry User <LUSER@employer.dom>
On Wed, Jul 23, 2003 at 03:36:18PM -0400, Larry User wrote:
> Actually, it works on rip now. Still doesn’t on ivyweb09.
Uh, dude:
ivyweb09:~# ll -d ~luser
drwxrwxrwx 11 luser users 4096 Jul 23 15:08 /home/luser/
From: “Larry User” <LUSER@employer.dom>
Subject: RE: Hate to bug you again…
Date: Wed, 23 Jul 2003 15:40:49 -0400
To: “Grumpy Sysadmin” <gsysadmin@employer.dom>
OK. *NOW* I feel stupid.
Thanks.
You’re welcome!
[1] I can commiserate… in fact, I’ve got NetBSD on my workstation with XF86 4 set up just the way I like it (two monitors in 1152×864 with Xinerama on) and I only ever touch Windows through Citrix Metaframe to accept appointments in Outlook (I actually read my email with mutt’s IMAP foo; I’d do appointments that way too, but I haven’t worked out the proper LDAP queries to make of the Exchange server to find out what real person the massive UIDs refer to, nor the format to tell the Exchange server I’ve accepted the meeting).
Post a Comment