[pid 17996] write(2, "Pre-authentication none cipher r"..., 68Pre-authentication none cipher requests are not allowed. [preauth]

[Twoflower2]

Hi,

I want to use the none cipher from a remote client. The none cipher on the client works and has been tested to other sshd's. What can be wrong with this compiled sshd not to work with none cipher?

I downloaded and un-tar file found here https://github.com/rapier1/openssh-portable/archive/hpn-NoneSwitch-7_2_P2.tar.gz

I then do building.

Build cmds:

autoconf autoheader ./configure --with-ipv4-default --with-none --sysconfdir=/etc/sshx/custom --with-md5-passwords --with-privsep-path=/var/lib/sshdx --with-pam --with-ssl-dir=/opt/openssl-1.0.1t --prefix=/opt/openssh make sudo make install

All is fine.

sshd_config: NoneEnabled yes

Starting up new sshd object in debug and trying to connect to it from remote client with cipher none I get this:

debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 19107 debug3: preauth child monitor started debug3: privsep user:group 110:65534 [preauth] debug1: permanently_set_uid: 110/65534 [preauth] debug1: WARNING: None cipher enabled [preauth] debug3: list_hostkey_types: ssh-dss key not permitted by HostkeyAlgorithms [preauth] debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth] debug3: send packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug3: receive packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: AUTH STATE IS 0 [preauth] debug2: local server KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 [preauth] debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth] debug2: ciphers ctos: none,none [preauth] debug2: ciphers stoc: none,none [preauth] debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: compression ctos: none,zlib@openssh.com [preauth] debug2: compression stoc: none,zlib@openssh.com [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: peer client KEXINIT proposal [preauth] debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: host key algorithms: ssh-rsa,ssh-dss,null [preauth] debug2: ciphers ctos: none [preauth] debug2: ciphers stoc: none [preauth] debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 [preauth] debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 [preauth] debug2: compression ctos: none,zlib [preauth] debug2: compression stoc: none,zlib [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 [preauth] debug1: kex: host key algorithm: ssh-rsa [preauth] debug1: REQUESTED ENC.NAME is 'none' [preauth] debug1: Requesting NONE. Authflag is 0 [preauth] Pre-authentication none cipher requests are not allowed. [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive entering debug1: do_cleanup debug1: Killing privsep child 19107

[vapier]

this is correct behavior -- the None cipher is for data transfer, not for authentication. you must authenticate with a properly encrypted channel first before you can do anything else.