Trying to get SSH working on Amiga

[Nightfox]

Hi all

I've been trying to get SSH working on my Amiga (MiSTer core) with AmigaOS 3.2 since I'd like to be able to control my devices from my Amiga. So far no luck. On the weekend I learnt about and set up GeekGadgets for an ixemul UNIX environment and that is working fine but so far no luck with SSH.

I found this site which links some OpenSSH ports for Amiga http://linuxmafia.com/ssh/amiga.html

The first thing I needed to do was download and install OpenSSL for Amiga (a requirement for OpenSSH) so I downloaded and installed openssl-bin version 0.9.7m from Aminet.

With that done I then tried the OpenSSL ports from the site linked above.

I tried the first one and it crashes whenever ssh-keygen or ssh is run and simply said "EMT Trap"

I tried the second one (needed to use the wayback machine to get it because it's no longer online). ssh-keygen works (took about 10 min to generate the keys but that's to be expected, this is just a 68020 with no FPU after all). When I tried then to connect to my MacBook with SSH, it returned with "no matching cipher found"

I feel I am so close to getting it working but I don't know how to fix this cipher issue

[giantclam]

At a guess, the amiga ssh client only supports ssh-1, whereas your ssh server likely only supports ssh-2. I don't use mac, so I'm not much help.... this may be of use however https://unix.stackexchange.com/quest...-rejecting-cbc

[Nightfox]

Thanks I'll try that. I think it does support SSH 2.0 though since the description on the website says "OpenSSH ported by Eric Chernoff. Requires the GeekGadgets ixemul and ixnet libraries. Client utilities. Open source under the BSD licence. ssh protocol 1.5 & 2.0." however there's nothing in the actual package readme that confirms this

[itsmedoofer]

Quote:

Originally Posted by Nightfox

Hi all

I've been trying to get SSH working on my Amiga (MiSTer core) with AmigaOS 3.2 since I'd like to be able to control my devices from my Amiga. So far no luck. On the weekend I learnt about and set up GeekGadgets for an ixemul UNIX environment and that is working fine but so far no luck with SSH.

I found this site which links some OpenSSH ports for Amiga http://linuxmafia.com/ssh/amiga.html

The first thing I needed to do was download and install OpenSSL for Amiga (a requirement for OpenSSH) so I downloaded and installed openssl-bin version 0.9.7m from Aminet.

With that done I then tried the OpenSSL ports from the site linked above.

I tried the first one and it crashes whenever ssh-keygen or ssh is run and simply said "EMT Trap"

I tried the second one (needed to use the wayback machine to get it because it's no longer online). ssh-keygen works (took about 10 min to generate the keys but that's to be expected, this is just a 68020 with no FPU after all). When I tried then to connect to my MacBook with SSH, it returned with "no matching cipher found"

I feel I am so close to getting it working but I don't know how to fix this cipher issue

Been thinking about ssh myself, seems you have got quite a way with it, if possible it would be great if you could share the link or package that you think has the most promise.

With regards to your problem, I would suggest getting the Bitvise SSH client, free for personal use, it gives you great and easy control over what cyphers are used for the keys and transport, been using it for years, now. Only problem is, it's Windows. I would be surprised if you couldn't get it working with that...

[Locutus]

Quote:

Originally Posted by Nightfox

I tried the second one (needed to use the wayback machine to get it because it's no longer online). ssh-keygen works (took about 10 min to generate the keys but that's to be expected, this is just a 68020 with no FPU after all). When I tried then to connect to my MacBook with SSH, it returned with "no matching cipher found"

I feel I am so close to getting it working but I don't know how to fix this cipher issue

Possibly this client does support SSH protocol version 2, but doesn't offer a encryption mechanism that's safe enough in the modern world anymore. The OSX OpenSSH Server is configured to reject weak keys/algorithms/cyphers which is why you get this error.


This might help a bit with finding what's missing: https://www.openssh.com/legacy.html


You might be able to re-enable older cypher's in the sshd config, but the OSX build might not have support for them compiled in anymore......requiring you to rebuild sshd from source code...


...This is probably not helping much, bottom line, AmigaOS/68k as an ssh client is going to be painful and insecure for both client and server.

[oscillik]

Quote:

Originally Posted by Locutus

Possibly this client does support SSH protocol version 2, but doesn't offer a encryption mechanism that's safe enough in the modern world anymore. The OSX OpenSSH Server is configured to reject weak keys/algorithms/cyphers which is why you get this error.


This might help a bit with finding what's missing: https://www.openssh.com/legacy.html


You might be able to re-enable older cypher's in the sshd config, but the OSX build might not have support for them compiled in anymore......requiring you to rebuild sshd from source code...

You could install OpenSSH via Homebrew https://formulae.brew.sh/formula/openssh#default

[Nightfox]

First of all I realised I had to regenerate my ssh keys because this ssh-keygen by default seems to generate keys for SSHv1 instead of v2. I regenerated v2 keys with:

Code:

ssh-keygen -t rsa

I managed to fix the algorithms issue by editing the /etc/ssh/sshd_config file on my Mac then restarting the sshd service:

Code:

Ciphers +aes128-cbc
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa

It now connects and prompts me for my password. Then after I put in the correct password it crashes with

Code:

dispatch_protocol_error: type 80 plen 602

[giantclam]

Closer.... exactly which ssh client are you using on the Amiga side? (link to archive)

[Nightfox]

This one here

[Locutus]

Could you do a verbose connection and dump the log here?: `ssh -v $dest`

[Nightfox]

haha an easy way to get this log output to paste in this post for you was to use rsh to perform the ssh -v command on my amiga from my MacBook.

Here it is:

Code:

9.SYS:> ssh -v cameron@192.168.1.46
OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 65534 geteuid 65534 anon 1
debug1: Connecting to 192.168.1.46 [192.168.1.46] port 22.
debug1: temporarily_use_uid: -2/-2 (e=65534)
debug1: restore_uid
debug1: temporarily_use_uid: -2/-2 (e=65534)
debug1: restore_uid
debug1: Connection established.
debug1: identity file T:/.ssh/identity type -1
debug1: identity file T:/.ssh/id_rsa type -1
debug1: identity file T:/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0
debug1: match: OpenSSH_9.0 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: dh_gen_key: priv key bits set: 157/320
debug1: bits set: 492/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
The authenticity of host '192.168.1.46 (192.168.1.46)' can't be established.
RSA key fingerprint is 88:3e:cd:e8:7a:03:07:80:81:58:7f:e9:f2:60:1c:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.46' (RSA) to the list of known hosts.
debug1: bits set: 509/1024
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: T:/.ssh/identity
debug1: try privkey: T:/.ssh/id_rsa
debug1: try privkey: T:/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
Password:

I entered my password.

Code:

debug1: packet_send2: adding 32 (len 24 padlen 8 extra_pad 64)
debug1: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: ssh-userauth2 successful: method keyboard-interactive
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
dispatch_protocol_error: type 80 plen 602
debug1: Calling cleanup 0x4065e966(0x0)
debug1: Calling cleanup 0x406678b4(0x0)
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: Calling cleanup 0x40672a3e(0x0)

[giantclam]

I was going to ask for the same log, however, not using this method ...it may be more insightful to stop sshd, restart it in debug mode, and then check the log on the server side, and/or upload said log to pastebin or similar.

[Nightfox]

Here is the output of sshd in debug mode

Code:

?  repos sudo /usr/sbin/sshd -d -p 8888
Password:
debug1: sshd version OpenSSH_9.0, LibreSSL 3.3.6
debug1: private host key #0: ssh-rsa SHA256:78Z0SVAOt+uDbtKw9ExBz5im2z0zVDCFnb8l7t9iIbU
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:wDf1Qmg4WxtCybJLbdHQycvGUZbY6Pi6Dgs3tcUea2s
debug1: private host key #2: ssh-ed25519 SHA256:ZRfQk+olT8I2sMfJOrX7lLGmz/jJLBdhBjPVsqPtxl8
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='8888'
debug1: Bind to port 8888 on ::.
Server listening on :: port 8888.
debug1: Bind to port 8888 on 0.0.0.0.
Server listening on 0.0.0.0 port 8888.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: sshd version OpenSSH_9.0, LibreSSL 3.3.6
debug1: private host key #0: ssh-rsa SHA256:78Z0SVAOt+uDbtKw9ExBz5im2z0zVDCFnb8l7t9iIbU
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:wDf1Qmg4WxtCybJLbdHQycvGUZbY6Pi6Dgs3tcUea2s
debug1: private host key #2: ssh-ed25519 SHA256:ZRfQk+olT8I2sMfJOrX7lLGmz/jJLBdhBjPVsqPtxl8
debug1: inetd sockets after dupping: 5, 5
Connection from 192.168.1.254 port 1024 on 192.168.1.46 port 8888
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.0.2p1
debug1: compat_banner: match: OpenSSH_3.0.2p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* compat 0x01200002
debug1: permanently_set_uid: 75/75 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: diffie-hellman-group1-sha1 [preauth]
debug1: kex: host key algorithm: ssh-rsa [preauth]
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none [preauth]
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 4294967296 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user cameron service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "cameron"
debug1: PAM: setting PAM_RHOST to "192.168.1.254"
debug1: userauth-request for user cameron service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=cameron devs= [preauth]
debug1: kbdint_alloc: devices 'pam' [preauth]
debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Postponed keyboard-interactive for cameron from 192.168.1.254 port 1024 ssh2 [preauth]
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 4
Postponed keyboard-interactive/pam for cameron from 192.168.1.254 port 1024 ssh2 [preauth]
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for cameron from 192.168.1.254 port 1024 ssh2
debug1: monitor_child_preauth: user cameron authenticated by privileged process
debug1: monitor_read_log: child log fd closed
debug1: PAM: establishing credentials
User child is on pid 53149
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 501/20
debug1: rekey in after 4294967296 blocks
debug1: rekey out after 4294967296 blocks
debug1: ssh_packet_set_postauth: called
debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch
debug1: server_input_channel_open: ctype session rchan 0 win 32768 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
Connection closed by 192.168.1.254 port 1024
debug1: channel 0: free: server-session, nchannels 1
Close session: user cameron from 192.168.1.254 port 1024 id 0
debug1: do_cleanup
Transferred: sent 2960, received 1128 bytes
Closing connection to 192.168.1.254 port 1024
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials

[giantclam]

So it negotiated auth okay, opened a connection, and the amiga ssh client bailed.

Try a different client ...ie; http://prdownloads.sourceforge.net/a...2.lha?download

[Nightfox]

Quote:

Originally Posted by giantclam

So it negotiated auth okay, opened a connection, and the amiga ssh client bailed.

Try a different client ...ie; http://prdownloads.sourceforge.net/a...2.lha?download

That client crashes instantly with the error EMT trap

[giantclam]

Odd....that was supposed to run on OS3.2 ...

The only client I can find that 'current' (still active project) is -> https://github.com/jens-maus/amissl/releases

That would be a better client to focus on here, just because it's active, current ...with full source code available etc etc...

[Locutus]

I did a bit of code surfing in the OpenSSH codebase, ...but if i'm honest, i'm not super confident.

But i suspect this is a protocol mismatch between modern SSHv2 and this 20 year old one.

`dispatch_protocol_error: type 80 plen 602` -> 80 is SSH2_MSG_GLOBAL_REQUEST.

3.0.2 only seems to implement opening TCP forwarding on this request type, while modern SSH servers also issue Keep-alives etc. on this, and without investigating actual wireshark dumps i fear the SSHD issued some incompatible event that the clients barfs at.

But it's a bit hard to figure out codebase differences between 22 years in a rather complex code base i have never looked at before, sorry!

[Locutus]

Wanting to validate this...

I just tried to build 3.0.2 on modern Debian....Which fails due to some bitrotten Perl support scripts....

Let's fix those....

[Nightfox]

Quote:

Originally Posted by giantclam

Odd....that was supposed to run on OS3.2 ...

The only client I can find that 'current' (still active project) is -> https://github.com/jens-maus/amissl/releases

That would be a better client to focus on here, just because it's active, current ...with full source code available etc etc...

That's AmiSSL, not an SSH client

[Locutus]

@NightFox

I got the exact equivalent of this Amiga port to build on GNU/Linux, and have somewhat predictably ended up in the same situation.

Played a bit with configuration, but it just errors out in the event dispatch code, this really isn't going to work against a modern sshd.