G7 Microserver ILO - can't ssh to it?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
G

Gordan

Member
Nov 18, 2019
39
8
8
I recently brought a G7 microserver back into service and I seem to be having a problem with it's ILO card. The web part works, and I can configure the IP from the BIOS setup, but I cannot seem to ssh into it.

This is what happens:

$ ssh -vvv 192.168.0.101
OpenSSH_8.0p1, OpenSSL 1.1.1c FIPS 28 May 2019
[...]
debug1: Connecting to 192.168.0.101 [192.168.0.101] port 22.
debug1: Connection established.
[...]
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH_5* compat 0x0c000002
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.101:22 as 'admin'
debug3: hostkeys_foreach: reading file "/home/gordan/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: MACs ctos: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug3: receive packet: type 31
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 4113/8192
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

and eventually:

Connection reset by 192.168.0.101 port 22

What am I missing?
 
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
looks like the key exchange did not work properly?
you sure you're allowing matching ciphers?
 
G

Gordan

Member
Nov 18, 2019
39
8
8
It's completely unrestricted on the machine I'm connecting from. I tried with Putty from a Windows machine, and that behaves exactly the same way.
 
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
well gen 7 is probably quite old... - try enable legacy options.
if you run a current putty version it will have disabled the ancient stuff for security reasons (same for ssh on linux)
 
G

Gordan

Member
Nov 18, 2019
39
8
8
I tried from an older client with -1 to force version 1 of ssh protocol, and fails with:

Protocol major versions differ: 1 vs. 2

Looking at the output above, though, it does look like ctos and stoc lines match, which should imply that they to have agreed on protocols. If there was a mismatch in protocol availability, I would expect it to fail, rather than just wait for a timeout.
 
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
its not a matter of protocol - ssh1 vs 2, it seems to fail in key exchange part of ssh2
you need to allow additional (weaker) ciphers to be used

check what ciphers OpenSSH_5.2 supports which are compatible with your OpenSSH_8.0p1 client version

mind I am only guessing, maybe its sth totally different, but thats how it looks to me :)
 
G

Gordan

Member
Nov 18, 2019
39
8
8
Awesome, you were right - I just built OpenSSH 5.2, and that lets me ssh in. Now I have a way of bisecting the difference between the two. Thank you. :)

Edit:

Just in case somebody googles this in the future, the options to put in .ssh/config for the host/IP of the G7 microserver ILO are:
Ciphers aes128-ctr
MACs hmac-md5

Adding this as well seems to help the connection prompt happen faster:
KexAlgorithms diffie-hellman-group1-sha1
 
Last edited:
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
You should be aware that these have been deprecated for a reason ... they are relatively easy to crack - so dont run these in an unsecure environment :)

Glad you got it working
 
You must log in or register to reply here.
Top Bottom