1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • SSH 2 for Palm OS - reviving a Palm T|X

    From Julius Henry Marx@21:1/5 to All on Sat Dec 4 14:38:23 2021
    Hello:

    I'm attempting to give a bit more use to my Palm T|X and among the uses I'd like to give it is to ssh into my Linux boxes.

    I expected to find a bit more Palm based ssh applications but no.
    I recall (?) something like this being possible with a Palm IIIxe which its RS-232 port.

    The only applications I found were TuSSH (crashes on 'starting key exchange') and pssh with which I have made a *bit* more progress:

    ```
    Starting SSHv2 session
    Sending version...
    Negotiating algorithms... (
    transport: No acceptable key exchange algorithm (server offered 'curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-
    group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1
    Connection closed.
    ```

    I understand that pssh can only deal with DES-EDE3-CBC ciphers but that would not be a problem as the link is via WiFi through an ADSL router with a WPA/WPA2 PSK mixed password and a MAC filter, WiFi being enabled on a per-case basis.

    I'd appreciate any pointers you can give me with this project.
    Thanks in advance.

    Best,

    JHM

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tavis Ormandy@21:1/5 to Julius Henry Marx on Sun Dec 5 19:57:41 2021
    On 2021-12-04, Julius Henry Marx wrote:
    ```
    Starting SSHv2 session
    Sending version...
    Negotiating algorithms... (
    transport: No acceptable key exchange algorithm (server offered 'curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-
    group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1
    Connection closed.
    ```

    I would guess it wants diffie-hellman-group1-sha1, you will need to add
    it to the allowed KexAlgorithms in sshd_config. It's disabled by default
    for a reason though, so caveat emptor :)

    Tavis.

    --
    _o) $ lynx lock.cmpxchg8b.com
    /\\ _o) _o) $ finger [email protected]
    _\_V _( ) _( ) @taviso

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Julius Henry Marx@21:1/5 to Tavis Ormandy on Mon Dec 6 04:30:35 2021
    Hello:

    Thank you very much for taking the time to write.

    On 5 Dec 2021 at 19:57, Tavis Ormandy wrote:

    ... wants diffie-hellman-group1-sha1, you will need to add it to the
    allowed KexAlgorithms in sshd_config. It's disabled by default for a
    reason ...

    Indeed.
    But I'd think (?) that in this specific case, the risks of using a deprecated algorithm may be attenuated by three things:

    1.
    Access to the ADSL router via WiFi is MAC filtered.
    It will only allow *this* specific Palm T|X handheld to log in.

    2.
    A (relatively) complex WPA/WPA2 PSK mixed PW such as this one is used:

    [code]
    4N@8974+6231
    [/code]

    3.
    WiFi is enabled on a per-case basis.

    When I started with this project, trying to define exactly *what* the ssh sever wanted to see on a connection attempt was the first problem.

    The PalmOS application I am attempting to use (pssh) is as dated as the Palm T|X itself and instructions or information with respect to how it is supposed to be used is very scarce.

    It has been reported that the binary has a string that reads "Ciphers other than DES-EDE3-CBC not supported" but for some reason this message is not displayed to the user.

    As a result, importing a key that did not conform to this was met with a pop-up that reads:

    ---
    Incorrect passphrase, or incorrectly formatted memo
    ---

    After a few accumulated hours attempting different options I finally managed to generate a key that was accepted by the application and imported without issue:

    [code]
    :~$ openssl genrsa -out t1.key 1024
    Generating RSA private key, 1024 bit long modulus
    ...+++++
    .........+++++
    e is 65537 (0x010001)
    [/code]

    This got me three files:

    - file
    - file.pub
    - t1.key

    I edited the destination system's /etc/ssh/sshd_config file to add this line:

    [code]
    # Ciphers and keying
    Ciphers +ssh-rsa
    [/code]

    I then stopped/started the ssh service and received this:

    [code]
    ~$ sudo service ssh start
    [....] Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config line 23: Bad SSH2 cipher spec '+ssh-rsa'.
    failed!
    ~$
    [/code]

    The installed version is OpenSSH_7.4p1 Debian-10+deb9u7.
    I have not found a way to get around this and I'd say that downgrading to an earlier version would not be acceptable.

    I'm not in any way versed i
  • From Tavis Ormandy@21:1/5 to Julius Henry Marx on Mon Dec 6 14:18:27 2021
    On 2021-12-06, Julius Henry Marx wrote:
    [code]
    ~$ sudo service ssh start
    [....] Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config line 23: Bad SSH2 cipher spec '+ssh-rsa'.
    failed!
    ~$
    [/code]

    That's a HostKeyAlgorithm, not a Cipher. If the message you posted was
    correct, then you probably want Ciphers +3des-cbc


    The installed version is OpenSSH_7.4p1 Debian-10+deb9u7.
    I have not found a way to get around this and I'd say that downgrading to an earlier version would not be acceptable.

    I think you should be able to get it to work. I never had a Palm, but I
    did have a Psion 5mx - I loved that thing, it would have made a great ssh terminal :)

    Tavis.

    --
    _o) $ lynx lock.cmpxchg8b.com
    /\\ _o) _o) $ finger [email protected]
    _\_V _( ) _( ) @taviso

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Julius Henry Marx@21:1/5 to Tavis Ormandy on Mon Dec 6 07:11:54 2021
    Hello:

    On Monday, December 6, 2021 at 11:18:31 AM UTC-3, Tavis Ormandy wrote:

    That's a HostKeyAlgorithm, not a Cipher. If the message you posted was correct, then you probably want Ciphers +3des-cbc.

    I think I had already tried that.
    To check, I edited the destination system's /etc/ssh/sshd_config file again to change it to:

    [code]
    # Ciphers and keying
    Ciphers +des-cbc
    [/code]

    On stop/start of the ssh service and received the same printout:

    [code]
    ~$ sudo service ssh start
    [....] Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config line 23: Bad SSH2 cipher spec '+des-cbc'.
    failed!
    ~$
    [/code]

    Maybe there's something else I have to change in sshd_config?

    ... should be able to get it to work.
    Thanks for the encouragement, it would be great.

    ... Psion 5mx - I loved that thing ...
    Now *that's* serious harware.
    Can't compare with the Palm T|X, which *did* have an interesting potential but ....

    My all time favourite has been the HP 200LX, loved it.
    Another world, another HP ... Albeit already on the slippery downwards slope.

    Thanks for your input.

    JHM

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tavis Ormandy@21:1/5 to Julius Henry Marx on Mon Dec 6 15:27:18 2021
    On 2021-12-06, Julius Henry Marx wrote:
    I think I had already tried that.
    To check, I edited the destination system's /etc/ssh/sshd_config file again to change it to:

    [code]
    # Ciphers and keying
    Ciphers +des-cbc
    [/code]

    You're missing the leading 3, it's 3des (triple des).

    I think you probably will also need MACs +hmac-sha1 (just a guess, but
    seems likely).

    Tavis.


    --
    _o) $ lynx lock.cmpxchg8b.com
    /\\ _o) _o) $ finger [email protected]
    _\_V _( ) _( ) @taviso

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Julius Henry Marx@21:1/5 to Tavis Ormandy on Mon Dec 6 11:44:41 2021
    Hello:
    On Monday, December 6, 2021 at 12:27:20 PM UTC-3, Tavis Ormandy wrote:

    You're missing the leading 3, it's 3des (triple des).
    Quite so ... 8^/
    Sorry about that.

    Edited and fixed:
    [code]
    # Ciphers and keying
    Ciphers +3des-cbc
    [/code]

    ... will also need MACs +hmac-sha1 ...

    Right, edited and added:
    [code]
    # Ciphers and keying
    Ciphers +des-cbc
    MACs
    [/code]

    Where as before I would get "no matching cipher found", now I can ssh from my host to the destination VM using 3des-cbc:

    [code]
    :~$ ssh -c 3des-cbc [email protected].1.4
    [email protected].1.4's password:
    Linux dev-pihole 4.9.0-16-amd64 x86_64 GNU/Linux
    --- snip ---
    No mail.
    Last login: Mon Dec 6 13:39:36 2021 from 192.168.1.2
    :~$
    [/code]

    But no cigar.

    Then I found this tidbit:
    [url] https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0[/url]

    [quote]
    After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config file:
    #Legacy changes
    KexAlgorithms +diffie-hellman-group1-sha1
    Ciphers +aes128-cbc
    [/quote]
    My guess (?) is that what I added above under "# Ciphers and keying" could be added to "#Legacy changes" instead.

    I edited the sshd_config file and tested "+diffie-hellman-group1-sha1" from my host machine:

    [code]
    ~$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 [email protected].1.4 [email protected].1.4's password:
    Linux dev-pihole 4.9.0-16-amd64 x86_64 GNU/Linux
    --- snip ---
    No mail.
    Last login: Mon Dec 6 16:10:41 2021 from 192.168.1.2
    user@dev-pihole:~$
    [/quote]

    It worked so next was to test it with the Palm T|X:
    It worked. 8^D