Putty 0.60 OpenSSH_4.5p1 problem

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
We have servers running openssh 4.3.p2 - 4.5p1
From our workstations we used putty 0.58 to access them.

Recently we upgraded our putty installations to 0.60 and were unable to
access the servers running openssh 4.5p1.

when we try putty throws up a fatal error saying
"Incoming packet was garbled on decryption"

The event log for the session looks like this

2007-06-14 16:59:33    Looking up host "removed"
2007-06-14 16:59:33    Connecting to removed port 22
2007-06-14 16:59:33    Server version: SSH-2.0-OpenSSH_4.5
2007-06-14 16:59:33    We claim version: SSH-2.0-PuTTY_Release_0.60
2007-06-14 16:59:33    Using SSH protocol version 2
2007-06-14 16:59:33    Doing Diffie-Hellman group exchange
2007-06-14 16:59:35    Doing Diffie-Hellman key exchange with hash SHA-256
2007-06-14 16:59:37    Host key fingerprint is:
2007-06-14 16:59:37    removed
2007-06-14 16:59:37    Initialised AES-256 SDCTR client->server encryption
2007-06-14 16:59:37    Initialised HMAC-SHA1 client->server MAC algorithm
2007-06-14 16:59:37    Initialised AES-256 SDCTR server->client encryption
2007-06-14 16:59:37    Initialised HMAC-SHA1 server->client MAC algorithm
2007-06-14 16:59:37    Incoming packet was garbled on decryption

Does anyone have any ideas whats wrong?

Re: Putty 0.60 OpenSSH_4.5p1 problem

Quoted text here. Click to load it

You're using OpenSSL 0.9.8e on the server, right?  If so, it has a bug
in it which causes it to report the wrong key length for variable-length
ciphers when used with non-default key lengths.

Assuming that's the case, you can:

a) patch openssl (the best fix).  Will need to recompile openssh if it's
statically linked against openssl:

b) upgrade to OpenSSH 4.6p1 which has a workaround for some (but not all)
of the cases that are affected.  AES counter mode (which is what you
appear to be using) did get the workaround.

c) tell putty to use a different cipher.  128-bit AES will probably be ok.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline