[ssh] How to replace dropbear with openssh ?
367 views
Skip to first unread message
Nicolas Delsaux
Apr 19, 2016, 2:52:08 PM4/19/16
to Alt-F
On my NAS, I've installed openssh, as I required some advanced ssh access.
However, it seems my install is not exactly working
As an example, git client fails whatever server I use with the following
message
[root@dlink-6A4EB1]# git clone https://tt-rss.org/git/tt-rss.git tt-rss
Cloning into 'tt-rss'...
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed while accessing
https://tt-rss.org/git/tt-rss.git/info/refs?service=git-upload-pack
fatal: HTTP request failed
In a similar fashion, I have a bunch of ssl errors when trying to send
content to an IMAP server with SSL.
I guess they all come from missing certificates. However, openssl has
all Firefox certificates installed. As a consequence, I suppose both git
and python delegate their call to dropbear, which may not have those
certificates installed.
Which leads to my question : is it possible to only use openssl and
totally remove dropbear ? Cause the dropbear alt-f package do not appear
as uninstallable.
So is there a procedure to uninstall it ? Or is it risky in any way ?
However, it seems my install is not exactly working
As an example, git client fails whatever server I use with the following
message
[root@dlink-6A4EB1]# git clone https://tt-rss.org/git/tt-rss.git tt-rss
Cloning into 'tt-rss'...
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed while accessing
https://tt-rss.org/git/tt-rss.git/info/refs?service=git-upload-pack
fatal: HTTP request failed
In a similar fashion, I have a bunch of ssl errors when trying to send
content to an IMAP server with SSL.
I guess they all come from missing certificates. However, openssl has
all Firefox certificates installed. As a consequence, I suppose both git
and python delegate their call to dropbear, which may not have those
certificates installed.
Which leads to my question : is it possible to only use openssl and
totally remove dropbear ? Cause the dropbear alt-f package do not appear
as uninstallable.
So is there a procedure to uninstall it ? Or is it risky in any way ?
João Cardoso
Apr 20, 2016, 3:16:55 PM4/20/16
to Alt-F, nicolas...@gmx.fr
On Tuesday, 19 April 2016 19:52:08 UTC+1, Nicolas Delsaux wrote:
On my NAS, I've installed openssh, as I required some advanced ssh access.
However, it seems my install is not exactly working
As an example, git client fails whatever server I use with the following
message
[root@dlink-6A4EB1]# git clone https://tt-rss.org/git/tt-rss.git tt-rss
Cloning into 'tt-rss'...
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed while accessing
https://tt-rss.org/git/tt-rss.git/info/refs?service=git-upload-pack
fatal: HTTP request failed
Does 'wget https://tt-rss.org/git/tt-rss.git/info/refs?service=git-upload-pack' fails for you? If there are certificates issues it will complain. If works for me.
Anyway, I have installed git (discovered a bug, that it depends on gettext), and it worked OK first without and later with openssh installed.
[root@dns-323]# git clone https://tt-rss.org/git/tt-rss.git tt-rssCloning into 'tt-rss'...remote: Counting objects: 55375, done.remote: Compressing objects: 100% (25324/25324), done.remote: Total 55375 (delta 29056), reused 52540 (delta 26807)Receiving objects: 100% (55375/55375), 83.48 MiB | 439.00 KiB/s, done.Resolving deltas: 100% (29056/29056), done.Checking connectivity... done.Checking out files: 100% (2420/2420), done.
BTW, I have a tt-rss pkg on the way... I don't use git, instead I use
TBALL=archive.tar.gzwget --progress=dot:mega -O /tmp/$TBALL $SITE/$TBALL
My next comments about certs and openssl/openssh were written before I tried the git command myself, so read them with that in mind.
In a similar fashion, I have a bunch of ssl errors when trying to send
content to an IMAP server with SSL.
It might not be related, but as since SSL-v3 is broken, see http://disablessl3.com, some sites might have disabled it, and an alternate protocol negotiation might not succeed.
latest openssl and openssh even disables it (and other weak ciphers) by default, and that is causing issues to some programs (they need patches), users and sites.
Is that your problem? don't know, but see e.g. this: http://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c
I guess they all come from missing certificates. However, openssl has
all Firefox certificates installed. As a consequence, I suppose both git
and python delegate their call to dropbear, which may not have those
certificates installed.
I believe that dropbear does not use them.
Which leads to my question : is it possible to only use openssl and
totally remove dropbear ? Cause the dropbear alt-f package do not appear
as uninstallable.
No, you can't un-install any pre-installed package -- they are on flash memory, not on disk.
There are only two conflicting files (same name) in dropbear and openssh, they are 'ssh' and 'scp'; until you install openssh, they are just links to dropbear, and when you install openssh openssh versions take its place; on openssh de-installation the original links to dropbear are remade. So you are using openssh binaries.
So your issue might come either from certificates not being up to date or, more likely, because the openssl libraries have issues with certain sites (dropbear does not uses openssl).
Reply all
Reply to author
Forward
0 new messages