[erlang-questions] ssh:connect "Key exchange failed"
Hans Nilsson R
hans.r.nilsson@REDACTED
Tue Oct 8 16:15:27 CEST 2019
I've found it.
The server and client has no common mac algorithm. I tried to add 'hmac-sha1-96' to Erlang SSH:
$ git diff
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index a85926354e..66d06c3360 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -171,6 +171,7 @@ supported_algorithms(mac) ->
[{'hmac-sha2-256', [{macs,hmac}, {hashs,sha256}]},
{'hmac-sha2-512', [{macs,hmac}, {hashs,sha512}]},
{'hmac-sha1', [{macs,hmac}, {hashs,sha}]},
+ {'hmac-sha1-96', [{macs,hmac}, {hashs,sha}]},
{'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]},
{'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]}
]
I can't test it because I have no ssh server at hand that has that old mac. But it works with erlang client to erlang server.
Could you patch your Erlang client, test and tell me it it works?
/Hans
________________________________
Från: József Bérces <jozsef.berces@REDACTED>
Skickat: den 8 oktober 2019 14:36
Till: Hans Nilsson R <hans.r.nilsson@REDACTED>; Erlang Questions <erlang-questions@REDACTED>
Ämne: RE: ssh:connect "Key exchange failed"
Hi Hans,
I tried it with several OTP releases up to 21. I have not tried OTP 22.
Here is what I received with telnet:
QþCb8é¢ê˜x|qâob‚gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dss aes256-cbc,aes192-cbc,aes128-cbc aes256-cbc,aes192-cbc,aes128-cbchmac-sha1-96,hmac-md5-96hmac-sha1-96,hmac-md5-96 none,zlib none,zlib
es,i-default
es,i-defaultConnection closed by foreign host.
And these are the default algorithms:
[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521',
'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256',
'diffie-hellman-group16-sha512',
'diffie-hellman-group18-sha512',
'diffie-hellman-group14-sha256',
'diffie-hellman-group14-sha1',
'diffie-hellman-group-exchange-sha1']},
{public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521',
'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256',
'rsa-sha2-512','ssh-dss']},
{cipher,[{client2server,['aes256-gcm@REDACTED',
'aes256-ctr','aes192-ctr','aes128-gcm@REDACTED',
'aes128-ctr','aes128-cbc','3des-cbc']},
{server2client,['aes256-gcm@REDACTED','aes256-ctr',
'aes192-ctr','aes128-gcm@REDACTED','aes128-ctr',
'aes128-cbc','3des-cbc']}]},
{mac,[{client2server,['hmac-sha2-256','hmac-sha2-512',
'hmac-sha1']},
{server2client,['hmac-sha2-256','hmac-sha2-512',
'hmac-sha1']}]},
{compression,[{client2server,[none,'zlib@REDACTED',zlib]},
{server2client,[none,'zlib@REDACTED',zlib]}]}]
5> ssh_transport:supported_algorithms(mac).
[{client2server,['hmac-sha2-256','hmac-sha2-512',
'hmac-sha1','AEAD_AES_128_GCM','AEAD_AES_256_GCM']},
{server2client,['hmac-sha2-256','hmac-sha2-512','hmac-sha1',
'AEAD_AES_128_GCM','AEAD_AES_256_GCM']}]
Thanks,
Jozsef
From: Hans Nilsson R <hans.r.nilsson@REDACTED>
Sent: Tuesday, 8 October, 2019 10:47
To: József Bérces <jozsef.berces@REDACTED>; Erlang Questions <erlang-questions@REDACTED>
Subject: Sv: ssh:connect "Key exchange failed"
The "Key exchange failed" error indicates that there is no agreement in the first phase where different algorithms are negotiated.
A common cause is that there are no common cipher algorithm available. For example the AES-256 CBC is not available in Erlang SSH.
Which otp version do you use?
What does the function ssh:default_algorithms() return?
What algorithms does the server provide? (Check by telnet the server, type "SSH-2.0-xxx" and look at the funny characters that is returned. Or post them here)
/Hans
________________________________
Från: erlang-questions-bounces@REDACTED <erlang-questions-bounces@REDACTED> för József Bérces <jozsef.berces@REDACTED>
Skickat: den 8 oktober 2019 09:23
Till: Erlang Questions <erlang-questions@REDACTED>
Ämne: [erlang-questions] ssh:connect "Key exchange failed"
Hi,
I need to connect to an ssh server but ssh:connect always returns "Key exchange failed". I can connect with KiTTY, and checking the KiTTY logs I suspect that the problem is the 1024-bit RSA key.
Could you please check the KiTTY log below what is not supported by the Erlang SSH client?
Is there any way to add the missing support to the Erlang SSH client so that I could connect to this server?
Thanks,
Jozsef
2019-10-07 14:37:58 Starting 42264 from XXXXX@REDACTED
2019-10-07 14:38:07 Connecting to 10.XXX.XXX.XXX port 22
2019-10-07 14:38:07 We claim version: SSH-2.0-PuTTY_KiTTY
2019-10-07 14:38:07 Server version: SSH-2.0-Sun_SSH_1.1.5
2019-10-07 14:38:07 Using SSH protocol version 2
2019-10-07 14:38:08 Doing Diffie-Hellman group exchange
2019-10-07 14:38:08 Doing Diffie-Hellman key exchange with hash SHA-1
2019-10-07 14:38:08 Server also has ssh-dss host key, but we don't know it
2019-10-07 14:38:08 Host key fingerprint is:
2019-10-07 14:38:08 ssh-rsa 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
2019-10-07 14:38:16 Initialised AES-256 CBC client->server encryption
2019-10-07 14:38:16 Initialised HMAC-SHA1-96 client->server MAC algorithm
2019-10-07 14:38:16 Initialised AES-256 CBC server->client encryption
2019-10-07 14:38:16 Initialised HMAC-SHA1-96 server->client MAC algorithm
2019-10-07 14:38:22 Using SSPI from SECUR32.DLL
2019-10-07 14:38:22 Attempting GSSAPI authentication
2019-10-07 14:38:22 GSSAPI authentication initialisation failed
2019-10-07 14:38:22 The target was not recognized.
2019-10-07 14:38:22 Attempting keyboard-interactive authentication
2019-10-07 14:38:30 Access granted
2019-10-07 14:38:30 Opening session as main channel
2019-10-07 14:38:30 Opened main channel
2019-10-07 14:38:30 Allocated pty (ospeed 38400bps, ispeed 38400bps)
2019-10-07 14:38:31 Started a shell/command
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191008/e7ae7a48/attachment.htm>
More information about the erlang-questions
mailing list