[erlang-questions] ssh:connect "Key exchange failed"

József Bérces jozsef.berces@REDACTED
Tue Oct 8 17:27:29 CEST 2019


Hi Hans,

It works!

Many thanks,
Jozsef

From: Hans Nilsson R <hans.r.nilsson@REDACTED>
Sent: Tuesday, 8 October, 2019 16:15
To: József Bérces <jozsef.berces@REDACTED>; Erlang Questions <erlang-questions@REDACTED>
Subject: Sv: ssh:connect "Key exchange failed"

I've found it.

The server and client has no common mac algorithm.  I tried to add 'hmac-sha1-96' to Erlang SSH:

$ git diff
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index a85926354e..66d06c3360 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -171,6 +171,7 @@ supported_algorithms(mac) ->
        [{'hmac-sha2-256',    [{macs,hmac}, {hashs,sha256}]},
         {'hmac-sha2-512',    [{macs,hmac}, {hashs,sha512}]},
         {'hmac-sha1',        [{macs,hmac}, {hashs,sha}]},
+        {'hmac-sha1-96',     [{macs,hmac}, {hashs,sha}]},
         {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]},
         {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]}
        ]

I can't test it because I have no ssh server at hand that has that old mac. But it works with erlang client to erlang server.

Could you patch your Erlang client, test and tell me it it works?

/Hans
________________________________
Från: József Bérces <jozsef.berces@REDACTED<mailto:jozsef.berces@REDACTED>>
Skickat: den 8 oktober 2019 14:36
Till: Hans Nilsson R <hans.r.nilsson@REDACTED<mailto:hans.r.nilsson@REDACTED>>; Erlang Questions <erlang-questions@REDACTED<mailto:erlang-questions@REDACTED>>
Ämne: RE: ssh:connect "Key exchange failed"


Hi Hans,



I tried it with several OTP releases up to 21. I have not tried OTP 22.



Here is what I received with telnet:



QþCb8é¢ê~x|qâob'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dss aes256-cbc,aes192-cbc,aes128-cbc aes256-cbc,aes192-cbc,aes128-cbchmac-sha1-96,hmac-md5-96hmac-sha1-96,hmac-md5-96     none,zlib       none,zlib

                 es,i-default

                             es,i-defaultConnection closed by foreign host.



And these are the default algorithms:



[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521',

       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256',

       'diffie-hellman-group16-sha512',

       'diffie-hellman-group18-sha512',

       'diffie-hellman-group14-sha256',

       'diffie-hellman-group14-sha1',

       'diffie-hellman-group-exchange-sha1']},

{public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521',

              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256',

              'rsa-sha2-512','ssh-dss']},

{cipher,[{client2server,['aes256-gcm@REDACTED',

                          'aes256-ctr','aes192-ctr','aes128-gcm@REDACTED',

                          'aes128-ctr','aes128-cbc','3des-cbc']},

          {server2client,['aes256-gcm@REDACTED','aes256-ctr',

                          'aes192-ctr','aes128-gcm@REDACTED','aes128-ctr',

                          'aes128-cbc','3des-cbc']}]},

{mac,[{client2server,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']},

       {server2client,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']}]},

{compression,[{client2server,[none,'zlib@REDACTED',zlib]},

               {server2client,[none,'zlib@REDACTED',zlib]}]}]



5> ssh_transport:supported_algorithms(mac).

[{client2server,['hmac-sha2-256','hmac-sha2-512',

                 'hmac-sha1','AEAD_AES_128_GCM','AEAD_AES_256_GCM']},

{server2client,['hmac-sha2-256','hmac-sha2-512','hmac-sha1',

                 'AEAD_AES_128_GCM','AEAD_AES_256_GCM']}]



Thanks,

Jozsef



From: Hans Nilsson R <hans.r.nilsson@REDACTED<mailto:hans.r.nilsson@REDACTED>>
Sent: Tuesday, 8 October, 2019 10:47
To: József Bérces <jozsef.berces@REDACTED<mailto:jozsef.berces@REDACTED>>; Erlang Questions <erlang-questions@REDACTED<mailto:erlang-questions@REDACTED>>
Subject: Sv: ssh:connect "Key exchange failed"



The "Key exchange failed" error indicates that there is no agreement in the first phase where different algorithms are negotiated.



A common cause is that there are no common cipher algorithm available. For example the AES-256 CBC is not available in Erlang SSH.



Which otp version do you use?

What does the function ssh:default_algorithms() return?

What algorithms does the server provide?  (Check by telnet the server, type "SSH-2.0-xxx" and look at the funny characters that is returned. Or post them here)



/Hans

________________________________

Från: erlang-questions-bounces@REDACTED<mailto:erlang-questions-bounces@REDACTED> <erlang-questions-bounces@REDACTED<mailto:erlang-questions-bounces@REDACTED>> för József Bérces <jozsef.berces@REDACTED<mailto:jozsef.berces@REDACTED>>
Skickat: den 8 oktober 2019 09:23
Till: Erlang Questions <erlang-questions@REDACTED<mailto:erlang-questions@REDACTED>>
Ämne: [erlang-questions] ssh:connect "Key exchange failed"



Hi,



I need to connect to an ssh server but ssh:connect always returns "Key exchange failed". I can connect with KiTTY, and checking the KiTTY logs I suspect that the problem is the 1024-bit RSA key.



Could you please check the KiTTY log below what is not supported by the Erlang SSH client?



Is there any way to add the missing support to the Erlang SSH client so that I could connect to this server?



Thanks,

Jozsef



2019-10-07 14:37:58       Starting 42264 from XXXXX@REDACTED

2019-10-07 14:38:07       Connecting to 10.XXX.XXX.XXX port 22

2019-10-07 14:38:07       We claim version: SSH-2.0-PuTTY_KiTTY

2019-10-07 14:38:07       Server version: SSH-2.0-Sun_SSH_1.1.5

2019-10-07 14:38:07       Using SSH protocol version 2

2019-10-07 14:38:08       Doing Diffie-Hellman group exchange

2019-10-07 14:38:08       Doing Diffie-Hellman key exchange with hash SHA-1

2019-10-07 14:38:08       Server also has ssh-dss host key, but we don't know it

2019-10-07 14:38:08       Host key fingerprint is:

2019-10-07 14:38:08       ssh-rsa 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

2019-10-07 14:38:16       Initialised AES-256 CBC client->server encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 client->server MAC algorithm

2019-10-07 14:38:16       Initialised AES-256 CBC server->client encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 server->client MAC algorithm

2019-10-07 14:38:22       Using SSPI from SECUR32.DLL

2019-10-07 14:38:22       Attempting GSSAPI authentication

2019-10-07 14:38:22       GSSAPI authentication initialisation failed

2019-10-07 14:38:22       The target was not recognized.

2019-10-07 14:38:22       Attempting keyboard-interactive authentication

2019-10-07 14:38:30       Access granted

2019-10-07 14:38:30       Opening session as main channel

2019-10-07 14:38:30       Opened main channel

2019-10-07 14:38:30       Allocated pty (ospeed 38400bps, ispeed 38400bps)

2019-10-07 14:38:31       Started a shell/command
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191008/3f3f4717/attachment.htm>


More information about the erlang-questions mailing list