Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Go to Heaven for the climate, Hell for the company." -- Mark Twain


devel / comp.security.ssh / Re: SSH 2 for Palm OS - reviving a Palm T|X

SubjectAuthor
* SSH 2 for Palm OS - reviving a Palm T|XJulius Henry Marx
`* Re: SSH 2 for Palm OS - reviving a Palm T|XTavis Ormandy
 `* Re: SSH 2 for Palm OS - reviving a Palm T|XJulius Henry Marx
  `* Re: SSH 2 for Palm OS - reviving a Palm T|XTavis Ormandy
   `* Re: SSH 2 for Palm OS - reviving a Palm T|XJulius Henry Marx
    `* Re: SSH 2 for Palm OS - reviving a Palm T|XTavis Ormandy
     `- Re: SSH 2 for Palm OS - reviving a Palm T|XJulius Henry Marx

1
SSH 2 for Palm OS - reviving a Palm T|X

<271ba61c-52e8-4368-aa3c-3b11a0651acfn@googlegroups.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=249&group=comp.security.ssh#249

 copy link   Newsgroups: comp.security.ssh
X-Received: by 2002:a37:b5c3:: with SMTP id e186mr24906217qkf.747.1638657504415; Sat, 04 Dec 2021 14:38:24 -0800 (PST)
X-Received: by 2002:aca:3643:: with SMTP id d64mr16888785oia.107.1638657504178; Sat, 04 Dec 2021 14:38:24 -0800 (PST)
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!tr3.eu1.usenetexpress.com!feeder.usenetexpress.com!tr3.iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Sat, 4 Dec 2021 14:38:23 -0800 (PST)
Injection-Info: google-groups.googlegroups.com; posting-host=191.85.190.206; posting-account=5mK0zwoAAAAlD1WPWGeBts8X5A98yT41
NNTP-Posting-Host: 191.85.190.206
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <271ba61c-52e8-4368-aa3c-3b11a0651acfn@googlegroups.com>
Subject: SSH 2 for Palm OS - reviving a Palm T|X
From: sawb...@gmx.net (Julius Henry Marx)
Injection-Date: Sat, 04 Dec 2021 22:38:24 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 34
 by: Julius Henry Marx - Sat, 4 Dec 2021 22:38 UTC

Hello:

I'm attempting to give a bit more use to my Palm T|X and among the uses I'd like to give it is to ssh into my Linux boxes.

I expected to find a bit more Palm based ssh applications but no.
I recall (?) something like this being possible with a Palm IIIxe which its RS-232 port.

The only applications I found were TuSSH (crashes on 'starting key exchange') and pssh with which I have made a *bit* more progress:

```
Starting SSHv2 session
Sending version...
Negotiating algorithms... (
transport: No acceptable key exchange algorithm (server offered 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1
Connection closed.
```

I understand that pssh can only deal with DES-EDE3-CBC ciphers but that would not be a problem as the link is via WiFi through an ADSL router with a WPA/WPA2 PSK mixed password and a MAC filter, WiFi being enabled on a per-case basis.

I'd appreciate any pointers you can give me with this project.
Thanks in advance.

Best,

JHM

Re: SSH 2 for Palm OS - reviving a Palm T|X

<j14jtkFpa85U1@mid.individual.net>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=250&group=comp.security.ssh#250

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: tav...@gmail.com (Tavis Ormandy)
Newsgroups: comp.security.ssh
Subject: Re: SSH 2 for Palm OS - reviving a Palm T|X
Date: 5 Dec 2021 19:57:41 GMT
Lines: 19
Message-ID: <j14jtkFpa85U1@mid.individual.net>
References: <271ba61c-52e8-4368-aa3c-3b11a0651acfn@googlegroups.com>
X-Trace: individual.net M5WIufPSFSTd2KD3x1sUPQJNa6qW2A0UHr+QiVjNCEdJvgvVbi
Cancel-Lock: sha1:j3xG9Begy6aeyMU4VsWYtLYjx70=
User-Agent: slrn/pre1.0.4-5 (Linux)
 by: Tavis Ormandy - Sun, 5 Dec 2021 19:57 UTC

On 2021-12-04, Julius Henry Marx wrote:
> ```
> Starting SSHv2 session
> Sending version...
> Negotiating algorithms... (
> transport: No acceptable key exchange algorithm (server offered 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1
> Connection closed.
> ```

I would guess it wants diffie-hellman-group1-sha1, you will need to add
it to the allowed KexAlgorithms in sshd_config. It's disabled by default
for a reason though, so caveat emptor :)

Tavis.

--
_o) $ lynx lock.cmpxchg8b.com
/\\ _o) _o) $ finger taviso@sdf.org
_\_V _( ) _( ) @taviso

Re: SSH 2 for Palm OS - reviving a Palm T|X

<e5d409a1-91bb-426b-a0a8-08cf7a5bea4dn@googlegroups.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=251&group=comp.security.ssh#251

 copy link   Newsgroups: comp.security.ssh
X-Received: by 2002:a05:6214:29e1:: with SMTP id jv1mr36492150qvb.114.1638793835720;
Mon, 06 Dec 2021 04:30:35 -0800 (PST)
X-Received: by 2002:a4a:51c5:: with SMTP id s188mr7265071ooa.44.1638793835458;
Mon, 06 Dec 2021 04:30:35 -0800 (PST)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Mon, 6 Dec 2021 04:30:35 -0800 (PST)
In-Reply-To: <j14jtkFpa85U1@mid.individual.net>
Injection-Info: google-groups.googlegroups.com; posting-host=191.85.163.246; posting-account=5mK0zwoAAAAlD1WPWGeBts8X5A98yT41
NNTP-Posting-Host: 191.85.163.246
References: <271ba61c-52e8-4368-aa3c-3b11a0651acfn@googlegroups.com> <j14jtkFpa85U1@mid.individual.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <e5d409a1-91bb-426b-a0a8-08cf7a5bea4dn@googlegroups.com>
Subject: Re: SSH 2 for Palm OS - reviving a Palm T|X
From: sawb...@gmx.net (Julius Henry Marx)
Injection-Date: Mon, 06 Dec 2021 12:30:35 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 80
 by: Julius Henry Marx - Mon, 6 Dec 2021 12:30 UTC

Hello:

Thank you very much for taking the time to write.

On 5 Dec 2021 at 19:57, Tavis Ormandy wrote:

> ... wants diffie-hellman-group1-sha1, you will need to add it to the
> allowed KexAlgorithms in sshd_config. It's disabled by default for a
> reason ...

Indeed.
But I'd think (?) that in this specific case, the risks of using a deprecated algorithm may be attenuated by three things:

1.
Access to the ADSL router via WiFi is MAC filtered.
It will only allow *this* specific Palm T|X handheld to log in.

2.
A (relatively) complex WPA/WPA2 PSK mixed PW such as this one is used:

[code]
4N@8974+6231
[/code]

3.
WiFi is enabled on a per-case basis.

When I started with this project, trying to define exactly *what* the ssh sever wanted to see on a connection attempt was the first problem.

The PalmOS application I am attempting to use (pssh) is as dated as the Palm T|X itself and instructions or information with respect to how it is supposed to be used is very scarce.

It has been reported that the binary has a string that reads "Ciphers other than DES-EDE3-CBC not supported" but for some reason this message is not displayed to the user.

As a result, importing a key that did not conform to this was met with a pop-up that reads:

---
Incorrect passphrase, or incorrectly formatted memo
---

After a few accumulated hours attempting different options I finally managed to generate a key that was accepted by the application and imported without issue:

[code]
:~$ openssl genrsa -out t1.key 1024
Generating RSA private key, 1024 bit long modulus
....+++++
..........+++++
e is 65537 (0x010001)
[/code]

This got me three files:

- file
- file.pub
- t1.key

I edited the destination system's /etc/ssh/sshd_config file to add this line:

[code]
# Ciphers and keying
Ciphers +ssh-rsa
[/code]

I then stopped/started the ssh service and received this:

[code]
~$ sudo service ssh start
[....] Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config line 23: Bad SSH2 cipher spec '+ssh-rsa'.
failed!
~$
[/code]

The installed version is OpenSSH_7.4p1 Debian-10+deb9u7.
I have not found a way to get around this and I'd say that downgrading to an earlier version would not be acceptable.

I'm not in any way versed in ssh, so please excude me if I am asking basic questions.

Any ideas?

Thanks in advance.

JHM

Re: SSH 2 for Palm OS - reviving a Palm T|X

<j16kdjF6ibgU1@mid.individual.net>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=252&group=comp.security.ssh#252

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: tav...@gmail.com (Tavis Ormandy)
Newsgroups: comp.security.ssh
Subject: Re: SSH 2 for Palm OS - reviving a Palm T|X
Date: 6 Dec 2021 14:18:27 GMT
Lines: 25
Message-ID: <j16kdjF6ibgU1@mid.individual.net>
References: <271ba61c-52e8-4368-aa3c-3b11a0651acfn@googlegroups.com>
<j14jtkFpa85U1@mid.individual.net>
<e5d409a1-91bb-426b-a0a8-08cf7a5bea4dn@googlegroups.com>
X-Trace: individual.net 2GKdRVMNh73ZuFXa/BrUTgx7qzO1geIhnSOTq+y4KcQmYy9FEW
Cancel-Lock: sha1:+nIqIGOiN25eRrPvUosQMyokDOk=
User-Agent: slrn/pre1.0.4-5 (Linux)
 by: Tavis Ormandy - Mon, 6 Dec 2021 14:18 UTC

On 2021-12-06, Julius Henry Marx wrote:
> [code]
> ~$ sudo service ssh start
> [....] Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config line 23: Bad SSH2 cipher spec '+ssh-rsa'.
> failed!
> ~$
> [/code]

That's a HostKeyAlgorithm, not a Cipher. If the message you posted was
correct, then you probably want Ciphers +3des-cbc

>
> The installed version is OpenSSH_7.4p1 Debian-10+deb9u7.
> I have not found a way to get around this and I'd say that downgrading to an earlier version would not be acceptable.

I think you should be able to get it to work. I never had a Palm, but I
did have a Psion 5mx - I loved that thing, it would have made a great ssh
terminal :)

Tavis.

--
_o) $ lynx lock.cmpxchg8b.com
/\\ _o) _o) $ finger taviso@sdf.org
_\_V _( ) _( ) @taviso

Re: SSH 2 for Palm OS - reviving a Palm T|X

<c5c0ea27-a26a-4072-be86-45e7e0dd9bban@googlegroups.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=253&group=comp.security.ssh#253

 copy link   Newsgroups: comp.security.ssh
X-Received: by 2002:a05:620a:4495:: with SMTP id x21mr33724044qkp.604.1638803514932;
Mon, 06 Dec 2021 07:11:54 -0800 (PST)
X-Received: by 2002:aca:add3:: with SMTP id w202mr24363660oie.100.1638803514721;
Mon, 06 Dec 2021 07:11:54 -0800 (PST)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Mon, 6 Dec 2021 07:11:54 -0800 (PST)
In-Reply-To: <j16kdjF6ibgU1@mid.individual.net>
Injection-Info: google-groups.googlegroups.com; posting-host=191.85.163.246; posting-account=5mK0zwoAAAAlD1WPWGeBts8X5A98yT41
NNTP-Posting-Host: 191.85.163.246
References: <271ba61c-52e8-4368-aa3c-3b11a0651acfn@googlegroups.com>
<j14jtkFpa85U1@mid.individual.net> <e5d409a1-91bb-426b-a0a8-08cf7a5bea4dn@googlegroups.com>
<j16kdjF6ibgU1@mid.individual.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <c5c0ea27-a26a-4072-be86-45e7e0dd9bban@googlegroups.com>
Subject: Re: SSH 2 for Palm OS - reviving a Palm T|X
From: sawb...@gmx.net (Julius Henry Marx)
Injection-Date: Mon, 06 Dec 2021 15:11:54 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 38
 by: Julius Henry Marx - Mon, 6 Dec 2021 15:11 UTC

Hello:

On Monday, December 6, 2021 at 11:18:31 AM UTC-3, Tavis Ormandy wrote:

> That's a HostKeyAlgorithm, not a Cipher. If the message you posted was
> correct, then you probably want Ciphers +3des-cbc.

I think I had already tried that.
To check, I edited the destination system's /etc/ssh/sshd_config file again to change it to:

[code]
# Ciphers and keying
Ciphers +des-cbc
[/code]

On stop/start of the ssh service and received the same printout:

> [code]
> ~$ sudo service ssh start
> [....] Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config line 23: Bad SSH2 cipher spec '+des-cbc'.
> failed!
> ~$
> [/code]

Maybe there's something else I have to change in sshd_config?

> ... should be able to get it to work.
Thanks for the encouragement, it would be great.

> ... Psion 5mx - I loved that thing ...
Now *that's* serious harware.
Can't compare with the Palm T|X, which *did* have an interesting potential but ....

My all time favourite has been the HP 200LX, loved it.
Another world, another HP ... Albeit already on the slippery downwards slope.

Thanks for your input.

JHM

Re: SSH 2 for Palm OS - reviving a Palm T|X

<j16oemF6ibgU2@mid.individual.net>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=254&group=comp.security.ssh#254

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: tav...@gmail.com (Tavis Ormandy)
Newsgroups: comp.security.ssh
Subject: Re: SSH 2 for Palm OS - reviving a Palm T|X
Date: 6 Dec 2021 15:27:18 GMT
Lines: 21
Message-ID: <j16oemF6ibgU2@mid.individual.net>
References: <271ba61c-52e8-4368-aa3c-3b11a0651acfn@googlegroups.com>
<j14jtkFpa85U1@mid.individual.net>
<e5d409a1-91bb-426b-a0a8-08cf7a5bea4dn@googlegroups.com>
<j16kdjF6ibgU1@mid.individual.net>
<c5c0ea27-a26a-4072-be86-45e7e0dd9bban@googlegroups.com>
X-Trace: individual.net byPbVojU0OhJWkw8X2xEnAS/2A0CK05kqabMjYpba3TzQlsrkH
Cancel-Lock: sha1:YVDkYhHASojcEJzni5YcNYm9KLU=
User-Agent: slrn/pre1.0.4-5 (Linux)
 by: Tavis Ormandy - Mon, 6 Dec 2021 15:27 UTC

On 2021-12-06, Julius Henry Marx wrote:
> I think I had already tried that.
> To check, I edited the destination system's /etc/ssh/sshd_config file again to change it to:
>
> [code]
> # Ciphers and keying
> Ciphers +des-cbc
> [/code]

You're missing the leading 3, it's 3des (triple des).

I think you probably will also need MACs +hmac-sha1 (just a guess, but
seems likely).

Tavis.

--
_o) $ lynx lock.cmpxchg8b.com
/\\ _o) _o) $ finger taviso@sdf.org
_\_V _( ) _( ) @taviso

Re: SSH 2 for Palm OS - reviving a Palm T|X

<0d7e38fd-1a1c-41ac-a312-5d8796e9727dn@googlegroups.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=255&group=comp.security.ssh#255

 copy link   Newsgroups: comp.security.ssh
X-Received: by 2002:a37:9d44:: with SMTP id g65mr36152836qke.495.1638819882118;
Mon, 06 Dec 2021 11:44:42 -0800 (PST)
X-Received: by 2002:aca:d608:: with SMTP id n8mr647568oig.89.1638819881844;
Mon, 06 Dec 2021 11:44:41 -0800 (PST)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Mon, 6 Dec 2021 11:44:41 -0800 (PST)
In-Reply-To: <j16oemF6ibgU2@mid.individual.net>
Injection-Info: google-groups.googlegroups.com; posting-host=191.85.163.246; posting-account=5mK0zwoAAAAlD1WPWGeBts8X5A98yT41
NNTP-Posting-Host: 191.85.163.246
References: <271ba61c-52e8-4368-aa3c-3b11a0651acfn@googlegroups.com>
<j14jtkFpa85U1@mid.individual.net> <e5d409a1-91bb-426b-a0a8-08cf7a5bea4dn@googlegroups.com>
<j16kdjF6ibgU1@mid.individual.net> <c5c0ea27-a26a-4072-be86-45e7e0dd9bban@googlegroups.com>
<j16oemF6ibgU2@mid.individual.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <0d7e38fd-1a1c-41ac-a312-5d8796e9727dn@googlegroups.com>
Subject: Re: SSH 2 for Palm OS - reviving a Palm T|X
From: sawb...@gmx.net (Julius Henry Marx)
Injection-Date: Mon, 06 Dec 2021 19:44:42 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 93
 by: Julius Henry Marx - Mon, 6 Dec 2021 19:44 UTC

Hello:
On Monday, December 6, 2021 at 12:27:20 PM UTC-3, Tavis Ormandy wrote:

> You're missing the leading 3, it's 3des (triple des).
Quite so ... 8^/
Sorry about that.

Edited and fixed:
[code]
# Ciphers and keying
Ciphers +3des-cbc
[/code]

> ... will also need MACs +hmac-sha1 ...

Right, edited and added:
[code]
# Ciphers and keying
Ciphers +des-cbc
MACs
[/code]

Where as before I would get "no matching cipher found", now I can ssh from my host to the destination VM using 3des-cbc:

[code]
:~$ ssh -c 3des-cbc user@192.168.1.4
user@192.168.1.4's password:
Linux dev-pihole 4.9.0-16-amd64 x86_64 GNU/Linux
--- snip ---
No mail.
Last login: Mon Dec 6 13:39:36 2021 from 192.168.1.2
:~$
[/code]

But no cigar.

Then I found this tidbit:
[url] https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0[/url]

[quote]
After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config file:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
[/quote]
My guess (?) is that what I added above under "# Ciphers and keying" could be added to "#Legacy changes" instead.

I edited the sshd_config file and tested "+diffie-hellman-group1-sha1" from my host machine:

[code]
~$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 user@192.168.1.4
user@192.168.1.4's password:
Linux dev-pihole 4.9.0-16-amd64 x86_64 GNU/Linux
--- snip ---
No mail.
Last login: Mon Dec 6 16:10:41 2021 from 192.168.1.2
user@dev-pihole:~$
[/quote]

It worked so next was to test it with the Palm T|X:
It worked. 8^D!

[code]
Starting SSHv2 session
Sending version...
Negotiating algorithms... (3des-cbc hmac-sha1)
Generating key...
Exchanging keys...
Calculating shared secret...
Logging in to host '192.168.1.4'
Authenticating (none) ... failed
Authenticating (publickey) ... failed
Authenticating (password) ... succeeded
Opening channel...
connection (state 12): refused global request 'hostkeys-00@openssh.com'
Opening pty...
Starting shell...
Connected to host '192.168.1.4'.
Linux dev-pihole 4.9.0-16-amd64 x86_64 GNU/Linux
--- snip ---
Last login: Mon Dec 6 16:23:36 2021 from 192.168.1.5
user@dev-pihole:~$
[/code]

One more question if I may:
Looking at the login printout I get on the Palm T|X's screen, is there anything I should change/fix?
ie: because of " ... failed" and "refused global request"

Thank you very much for helping me with this.
Much obliged.

Best,

JHM

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor