<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br><br>Sent from my iPad</div><div><br>On 3 jul 2015, at 20:07, Adam Krupicka <<a href="mailto:krupicka.adam@gmail.com">krupicka.adam@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">Hi,<div><br>I recently tried to play with distributed CT (Common Tests); these require the ability to open a SSH connection to the target host to start the remote nodes. It was there that I found that Erlang is unable to open a SSH connection to an up-to-date, defautly-configured OpenSSH server. The SSH Erlang library only supports a single Kex (key-exchange algorithm): diffie-hellman-group1-sha1. The RFC[1], however, specifically requests that every SSH implementation must also support the diffie-hellman-group14-sha1 algorithm. The current version of OpenSSH (OpenSSH_6.8p1, OpenSSL 1.0.2c 12 Jun 2015) in its default configuration only accepts:<br> <a href="mailto:curve25519-sha256@libssh.org">curve25519-sha256@libssh.org</a>, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1.<br></div></div></div></blockquote>Strange, because the RFC also states that <span style="background-color: rgba(255, 255, 255, 0);">diffie-hellman-group1-sha1 MUST also be supported, in the paragraph above the one you are referring to (8.1)</span><div>I guess the SSH servers are not running in an interoperability mode?</div><div><br></div><div>I guess that adding kext algorithm and making the code more flexible should be an easy task.</div><div><br></div><div><blockquote type="cite"><div><div dir="ltr"><div>I've been told in #erlang on <a href="http://irc.freenode.net">irc.freenode.net</a> that the SSH library was probably only meant to access Erlang systems running SSH shells, however, the CT implementation depends on being able to connect to a real OpenSSH server; that is, on a correct implementation of the SSH standard.<br>I thought fixing this would be just a matter of implementing the correct Kex algorithm, but upon looking at the source I saw that the current implementation of the Kex algorithms seems to be a bit of a hack[2].</div><div><br></div></div></div></blockquote>A long time ago ...</div><div><br><blockquote type="cite"><div><div dir="ltr"><div>Can you please confirm that this is indeed a bug? I did also come across other people having what I consider to be the same issue[3].<br><br></div></div></div></blockquote>It is probably not a bug, it just does not comply to the RFC 4253. </div><div><br></div><div>/Tony<br><blockquote type="cite"><div><div dir="ltr"><div><br>Thanks,<br>A. K. <br><br><br><br>[1] <a href="https://tools.ietf.org/html/rfc4253#section-8.2">https://tools.ietf.org/html/rfc4253#section-8.2</a><br>[2] <a href="https://github.com/erlang/otp/blob/74a95b3d511177a9b35c2b0272b9ca5511b6f750/lib/ssh/src/ssh_transport.erl#L367">https://github.com/erlang/otp/blob/74a95b3d511177a9b35c2b0272b9ca5511b6f750/lib/ssh/src/ssh_transport.erl#L367</a><br></div><div>[3] <a href="https://stackoverflow.com/questions/31193906/cannot-connect-to-openssh-using-otp-ssh-module">https://stackoverflow.com/questions/31193906/cannot-connect-to-openssh-using-otp-ssh-module</a></div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>erlang-bugs mailing list</span><br><span><a href="mailto:erlang-bugs@erlang.org">erlang-bugs@erlang.org</a></span><br><span><a href="http://erlang.org/mailman/listinfo/erlang-bugs">http://erlang.org/mailman/listinfo/erlang-bugs</a></span><br></div></blockquote></div></body></html>