[erlang-questions] sshd self connect problems

Hans Nilsson R hans.r.nilsson@REDACTED
Fri Oct 5 09:00:28 CEST 2018


Hi,

1) Are there host keys in /etc/ssh ?
2) Are the *private* keys in /etc/ssh and that directory readable by the user running erl ?

Note that it is potentially dangerous to make the private keys world readable.  I would
recommend you to generate new host keys (ssh-keygen) in a separate directory readable only by the user
running erlang.

/Hans

On 10/04/2018 11:13 PM, Alexander Petrovsky wrote:
> Hello, I've some strange problem, when I run ssh server and try to connect
> to it from code on the same machine I've got an error:
> 
> Selection of key exchange algorithm failed
> 
> Server:
> 
>> ssh:daemon(Port, [{system_dir,            "/etc/ssh"},
>>                               {subsystems,
>>  [wm_ssh_sftp_ext:subsystem_spec(),
>>
>>  ssh_sftpd:subsystem_spec([{cwd, _CWD = "/"}])]},
>>                               {user_passwords,    [{"user", "pass"}]}]).
> 
> 
> Client:
> 
>> Opts = [{user, "user"},
>>              {password, "pass"},
>>              {silently_accept_hosts, true}],
>> ssh:connect(Node, Port, Opts, _Timeout = 5000).
> 
> 
> When I capture ssh traffic I find out that the server doesn't suggest
> `host_key_algorithms`
> 
>                 kex_algorithms length: 257
>>                 kex_algorithms string [truncated]:
>> ecdh-sha2-nistp384,ecdh-sha2-nistp521,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-grou
>>                 server_host_key_algorithms length: 0
>>                 server_host_key_algorithms string: [Empty]
>>                 encryption_algorithms_client_to_server length: 98
>>                 encryption_algorithms_client_to_server string:
>> aes256-gcm@REDACTED,aes256-ctr,aes192-ctr,aes128-gcm@REDACTED
>> ,aes128-ctr,aes128-cbc,3des-cbc
>>                 encryption_algorithms_server_to_client length: 98
>>                 encryption_algorithms_server_to_client string:
>> aes256-gcm@REDACTED,aes256-ctr,aes192-ctr,aes128-gcm@REDACTED
>> ,aes128-ctr,aes128-cbc,3des-cbc
>>                 mac_algorithms_client_to_server length: 37
>>                 mac_algorithms_client_to_server string:
>> hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>                 mac_algorithms_server_to_client length: 37
>>                 mac_algorithms_server_to_client string:
>> hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>                 compression_algorithms_client_to_server length: 26
>>                 compression_algorithms_client_to_server string: none,
>> zlib@REDACTED,zlib
>>                 compression_algorithms_server_to_client length: 26
>>                 compression_algorithms_server_to_client string: none,
>> zlib@REDACTED,zlib
>>                 languages_client_to_server length: 0
>>                 languages_client_to_server string: [Empty]
>>                 languages_server_to_client length: 0
>>                 languages_server_to_client string: [Empty]
>>                 First KEX Packet Follows: 0
>>                 Reserved: 00000000
>>             Padding String: 21850013139a828f718a
> 
> 
> But the client has some values:
> 
>                 kex_algorithms length: 257
>>                 kex_algorithms string [truncated]:
>> ecdh-sha2-nistp384,ecdh-sha2-nistp521,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-grou
>>                 server_host_key_algorithms length: 101
>>                 server_host_key_algorithms string:
>> ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss
>>                 encryption_algorithms_client_to_server length: 98
>>                 encryption_algorithms_client_to_server string:
>> aes256-gcm@REDACTED,aes256-ctr,aes192-ctr,aes128-gcm@REDACTED
>> ,aes128-ctr,aes128-cbc,3des-cbc
>>                 encryption_algorithms_server_to_client length: 98
>>                 encryption_algorithms_server_to_client string:
>> aes256-gcm@REDACTED,aes256-ctr,aes192-ctr,aes128-gcm@REDACTED
>> ,aes128-ctr,aes128-cbc,3des-cbc
>>                 mac_algorithms_client_to_server length: 37
>>                 mac_algorithms_client_to_server string:
>> hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>                 mac_algorithms_server_to_client length: 37
>>                 mac_algorithms_server_to_client string:
>> hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>                 compression_algorithms_client_to_server length: 26
>>                 compression_algorithms_client_to_server string: none,
>> zlib@REDACTED,zlib
>>                 compression_algorithms_server_to_client length: 26
>>                 compression_algorithms_server_to_client string: none,
>> zlib@REDACTED,zlib
>>                 languages_client_to_server length: 0
>>                 languages_client_to_server string: [Empty]
>>                 languages_server_to_client length: 0
>>                 languages_server_to_client string: [Empty]
>>                 First KEX Packet Follows: 0
>>                 Reserved: 00000000
>>             Padding String: 49945334a432cfa4a0371700f6
> 
> 
> Could someone help me please resolve this problem?
> 
> 
> 
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4161 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20181005/828ad85e/attachment.bin>


More information about the erlang-questions mailing list