Openssh-6.7p1 and TimeStorm Remote Debugging Workaround
Due to recent changes in openssh, TimeStorm experiences issues when attempting to connect to target systems running openssh-6.7p1. This is due to cbc ciphers no longer being enabled as of openssh-6.7p1.
NOTE: This issue only occurs during debugging efforts while using TimeStorm with openssh-6.7p1 on the target.
Earlier versions of openssh are not affected.
Please be sure to revert this change after debugging efforts are completed. Production systems should NOT contain this workaround.
Issue
In Timestorm, executing Check Link on a target hardware by selecting ssh and scp, it stops at Authenticating username and password appearing to hang in TimeStorm. Checking the logs on the target system, you should find this is due to no matching cipher found. This only occurs when using openssh-6.7p1 on the target hardware while remote debugging with TimeStorm.
Prerequisites
- Cross-toolchain has been installed for use with TimeStorm.
- TimeStorm recognizes installed cross-toolchain.
- Verify under dropdown menu Window > Preferences > TimeStorm > Toolchains.
- Hardware Target profile has been created in TimeStorm.
- Right click your project, and click Debug As > Remote C/C++ Application.
- In the Debug Configuration window, click the Target tab, and select Manage Target.
- Create a new HW target.
- Recommend SCP on Download tab.
- Recommend ssh on Execute tab.
- Openssh-6.7p1 server is running on target hardware; if an earlier openssh version is in use on target, this workaround is not necessary.
- Password set for root user on target system.
- After boot, run
passwdfrom the terminal of the target system to set root password.
- After boot, run
Workaround
On the target
- Add "Ciphers" and "KexAlgorithms" sections to /etc/openssh/sshd_config file as shown below:
- NOTE: Copy/paste of this code may result in the insertion of unintended carriage return characters.
- Ensure everything from
KexAlgorithmsthroughdiffie-hellman-group1-sha1is contained on a single line.Ciphers aes256-cbc,aes128-cbc,blowfish-cbc KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh- sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman- group1-sha1
- Restart openssh:
$ /etc/init.d/S50-openssh restart
On the host machine
- Generate RFS Customization Script:
- This allows for Factory to include the appropriate Ciphers and KexAlgorithms sections in the /etc/openssh/sshd_config file at build-time.
- Additional info on the use of the RFS Customization Script can be found here.
- NOTE: Copy/paste of this code may result in the insertion of unintended carriage return characters.
- Ensure everything from
KexAlgorithmsthroughdiffie-hellman-group1-sha1is contained on a single line.#!/bin/bash RFSDIR=$1 cd $RFSDIR || exit 1 # add "Ciphers" and "KexAlgorithms" to sshd_config cat >> etc/openssh/sshd_config <<EOF Ciphers aes256-cbc,aes128-cbc,blowfish-cbc KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2- nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman- group1-sha1 EOF
- Make RFS Customization Script executable:
chmod +x /path/to/myRFSscript.sh
- Add RFS Customization Script to Factory Workorder:
- via menuconfig: Target Configuration > Build RFS > RFS Customization Script.
- enter
path/to/myRFSscript.sh.
- Rebuild SDK:
- Run
make rfs-distclean && make.
- Run
- Re-deploy RFS to target.
- Set root password (with passwd).
Verify connection in TimeStorm
To verify connectivity to a target, click Run tab and click Hardware Targets, then select the target in the left panel of the Run Targets window and click the Check Link button. The Raw Log tab becomes active when the check starts.
If the host communicates successfully with the target, a Target Check – Passed message will be displayed in the Raw Log tab.
