[pid 17996] write(2, "Pre-authentication none cipher r"..., 68Pre-authentication none cipher requests are not allowed. [preauth]

Question

[pid 17996] write(2, "Pre-authentication none cipher r"..., 68Pre-authentication none cipher requests are not allowed. [preauth]

Twoflower2 opened this issue 8 years ago · 1 comments

Hi,

I want to use the none cipher from a remote client. The none cipher on the client works and has been tested to other sshd's. What can be wrong with this compiled sshd not to work with none cipher?

I downloaded and un-tar file found here https://github.com/rapier1/openssh-portable/archive/hpn-NoneSwitch-7_2_P2.tar.gz

I then do building.

Build cmds:

autoconf
autoheader
./configure --with-ipv4-default --with-none --sysconfdir=/etc/sshx/custom --with-md5-passwords --with-privsep-path=/var/lib/sshdx --with-pam --with-ssl-dir=/opt/openssl-1.0.1t --prefix=/opt/openssh
make
sudo make install

All is fine.

sshd_config:
NoneEnabled yes

Starting up new sshd object in debug and trying to connect to it from remote client with cipher none I get this:

debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 19107
debug3: preauth child monitor started
debug3: privsep user:group 110:65534 [preauth]
debug1: permanently_set_uid: 110/65534 [preauth]
debug1: WARNING: None cipher enabled [preauth]
debug3: list_hostkey_types: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: AUTH STATE IS 0 [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth]
debug2: ciphers ctos: none,none [preauth]
debug2: ciphers stoc: none,none [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com [preauth]
debug2: compression stoc: none,zlib@openssh.com [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: host key algorithms: ssh-rsa,ssh-dss,null [preauth]
debug2: ciphers ctos: none [preauth]
debug2: ciphers stoc: none [preauth]
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: compression ctos: none,zlib [preauth]
debug2: compression stoc: none,zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 [preauth]
debug1: kex: host key algorithm: ssh-rsa [preauth]
debug1: REQUESTED ENC.NAME is 'none' [preauth]
debug1: Requesting NONE. Authflag is 0 [preauth]
Pre-authentication none cipher requests are not allowed. [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: Killing privsep child 19107

Answer 1 · 2017-03-14T18:33:25.000Z

this is correct behavior -- the None cipher is for data transfer, not for authentication. you must authenticate with a properly encrypted channel first before you can do anything else.