ssh:connect "Key exchange failed"

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ssh:connect "Key exchange failed"

József Bérces (LA/ETH)

Hi,

 

I need to connect to an ssh server but ssh:connect always returns "Key exchange failed". I can connect with KiTTY, and checking the KiTTY logs I suspect that the problem is the 1024-bit RSA key.

 

Could you please check the KiTTY log below what is not supported by the Erlang SSH client?

 

Is there any way to add the missing support to the Erlang SSH client so that I could connect to this server?

 

Thanks,

Jozsef

 

2019-10-07 14:37:58       Starting 42264 from XXXXX@XXXXXX

2019-10-07 14:38:07       Connecting to 10.XXX.XXX.XXX port 22

2019-10-07 14:38:07       We claim version: SSH-2.0-PuTTY_KiTTY

2019-10-07 14:38:07       Server version: SSH-2.0-Sun_SSH_1.1.5

2019-10-07 14:38:07       Using SSH protocol version 2

2019-10-07 14:38:08       Doing Diffie-Hellman group exchange

2019-10-07 14:38:08       Doing Diffie-Hellman key exchange with hash SHA-1

2019-10-07 14:38:08       Server also has ssh-dss host key, but we don't know it

2019-10-07 14:38:08       Host key fingerprint is:

2019-10-07 14:38:08       ssh-rsa 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

2019-10-07 14:38:16       Initialised AES-256 CBC client->server encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 client->server MAC algorithm

2019-10-07 14:38:16       Initialised AES-256 CBC server->client encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 server->client MAC algorithm

2019-10-07 14:38:22       Using SSPI from SECUR32.DLL

2019-10-07 14:38:22       Attempting GSSAPI authentication

2019-10-07 14:38:22       GSSAPI authentication initialisation failed

2019-10-07 14:38:22       The target was not recognized.

2019-10-07 14:38:22       Attempting keyboard-interactive authentication

2019-10-07 14:38:30       Access granted

2019-10-07 14:38:30       Opening session as main channel

2019-10-07 14:38:30       Opened main channel

2019-10-07 14:38:30       Allocated pty (ospeed 38400bps, ispeed 38400bps)

2019-10-07 14:38:31       Started a shell/command


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssh:connect "Key exchange failed"

Hans Nilsson R (AL/EAB)
The "Key exchange failed" error indicates that there is no agreement in the first phase where different algorithms are negotiated.

A common cause is that there are no common cipher algorithm available. For example the AES-256 CBC is not available in Erlang SSH.

Which otp version do you use?
What does the function ssh:default_algorithms() return?
What algorithms does the server provide?  (Check by telnet the server, type "SSH-2.0-xxx" and look at the funny characters that is returned. Or post them here)

/Hans

Från: [hidden email] <[hidden email]> för József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 09:23
Till: Erlang Questions <[hidden email]>
Ämne: [erlang-questions] ssh:connect "Key exchange failed"
 

Hi,

 

I need to connect to an ssh server but ssh:connect always returns "Key exchange failed". I can connect with KiTTY, and checking the KiTTY logs I suspect that the problem is the 1024-bit RSA key.

 

Could you please check the KiTTY log below what is not supported by the Erlang SSH client?

 

Is there any way to add the missing support to the Erlang SSH client so that I could connect to this server?

 

Thanks,

Jozsef

 

2019-10-07 14:37:58       Starting 42264 from XXXXX@XXXXXX

2019-10-07 14:38:07       Connecting to 10.XXX.XXX.XXX port 22

2019-10-07 14:38:07       We claim version: SSH-2.0-PuTTY_KiTTY

2019-10-07 14:38:07       Server version: SSH-2.0-Sun_SSH_1.1.5

2019-10-07 14:38:07       Using SSH protocol version 2

2019-10-07 14:38:08       Doing Diffie-Hellman group exchange

2019-10-07 14:38:08       Doing Diffie-Hellman key exchange with hash SHA-1

2019-10-07 14:38:08       Server also has ssh-dss host key, but we don't know it

2019-10-07 14:38:08       Host key fingerprint is:

2019-10-07 14:38:08       ssh-rsa 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

2019-10-07 14:38:16       Initialised AES-256 CBC client->server encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 client->server MAC algorithm

2019-10-07 14:38:16       Initialised AES-256 CBC server->client encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 server->client MAC algorithm

2019-10-07 14:38:22       Using SSPI from SECUR32.DLL

2019-10-07 14:38:22       Attempting GSSAPI authentication

2019-10-07 14:38:22       GSSAPI authentication initialisation failed

2019-10-07 14:38:22       The target was not recognized.

2019-10-07 14:38:22       Attempting keyboard-interactive authentication

2019-10-07 14:38:30       Access granted

2019-10-07 14:38:30       Opening session as main channel

2019-10-07 14:38:30       Opened main channel

2019-10-07 14:38:30       Allocated pty (ospeed 38400bps, ispeed 38400bps)

2019-10-07 14:38:31       Started a shell/command


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssh:connect "Key exchange failed"

József Bérces (LA/ETH)

Hi Hans,

 

I tried it with several OTP releases up to 21. I have not tried OTP 22.

 

Here is what I received with telnet:

 

QþCb8é¢ê˜x|qâob‚gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dss aes256-cbc,aes192-cbc,aes128-cbc aes256-cbc,aes192-cbc,aes128-cbchmac-sha1-96,hmac-md5-96hmac-sha1-96,hmac-md5-96     none,zlib       none,zlib

                 es,i-default

                             es,i-defaultConnection closed by foreign host.

 

And these are the default algorithms:

 

[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521',

       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256',

       'diffie-hellman-group16-sha512',

       'diffie-hellman-group18-sha512',

       'diffie-hellman-group14-sha256',

       'diffie-hellman-group14-sha1',

       'diffie-hellman-group-exchange-sha1']},

{public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521',

              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256',

              'rsa-sha2-512','ssh-dss']},

{cipher,[{client2server,['[hidden email]',

                          'aes256-ctr','aes192-ctr','[hidden email]',

                          'aes128-ctr','aes128-cbc','3des-cbc']},

          {server2client,['[hidden email]','aes256-ctr',

                          'aes192-ctr','[hidden email]','aes128-ctr',

                          'aes128-cbc','3des-cbc']}]},

{mac,[{client2server,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']},

       {server2client,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']}]},

{compression,[{client2server,[none,'[hidden email]',zlib]},

               {server2client,[none,'[hidden email]',zlib]}]}]

 

5> ssh_transport:supported_algorithms(mac).

[{client2server,['hmac-sha2-256','hmac-sha2-512',

                 'hmac-sha1','AEAD_AES_128_GCM','AEAD_AES_256_GCM']},

{server2client,['hmac-sha2-256','hmac-sha2-512','hmac-sha1',

                 'AEAD_AES_128_GCM','AEAD_AES_256_GCM']}]

 

Thanks,

Jozsef

 

From: Hans Nilsson R <[hidden email]>
Sent: Tuesday, 8 October, 2019 10:47
To: József Bérces <[hidden email]>; Erlang Questions <[hidden email]>
Subject: Sv: ssh:connect "Key exchange failed"

 

The "Key exchange failed" error indicates that there is no agreement in the first phase where different algorithms are negotiated.

 

A common cause is that there are no common cipher algorithm available. For example the AES-256 CBC is not available in Erlang SSH.

 

Which otp version do you use?

What does the function ssh:default_algorithms() return?

What algorithms does the server provide?  (Check by telnet the server, type "SSH-2.0-xxx" and look at the funny characters that is returned. Or post them here)

 

/Hans


Från: [hidden email] <[hidden email]> för József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 09:23
Till: Erlang Questions <[hidden email]>
Ämne: [erlang-questions] ssh:connect "Key exchange failed"

 

Hi,

 

I need to connect to an ssh server but ssh:connect always returns "Key exchange failed". I can connect with KiTTY, and checking the KiTTY logs I suspect that the problem is the 1024-bit RSA key.

 

Could you please check the KiTTY log below what is not supported by the Erlang SSH client?

 

Is there any way to add the missing support to the Erlang SSH client so that I could connect to this server?

 

Thanks,

Jozsef

 

2019-10-07 14:37:58       Starting 42264 from XXXXX@XXXXXX

2019-10-07 14:38:07       Connecting to 10.XXX.XXX.XXX port 22

2019-10-07 14:38:07       We claim version: SSH-2.0-PuTTY_KiTTY

2019-10-07 14:38:07       Server version: SSH-2.0-Sun_SSH_1.1.5

2019-10-07 14:38:07       Using SSH protocol version 2

2019-10-07 14:38:08       Doing Diffie-Hellman group exchange

2019-10-07 14:38:08       Doing Diffie-Hellman key exchange with hash SHA-1

2019-10-07 14:38:08       Server also has ssh-dss host key, but we don't know it

2019-10-07 14:38:08       Host key fingerprint is:

2019-10-07 14:38:08       ssh-rsa 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

2019-10-07 14:38:16       Initialised AES-256 CBC client->server encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 client->server MAC algorithm

2019-10-07 14:38:16       Initialised AES-256 CBC server->client encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 server->client MAC algorithm

2019-10-07 14:38:22       Using SSPI from SECUR32.DLL

2019-10-07 14:38:22       Attempting GSSAPI authentication

2019-10-07 14:38:22       GSSAPI authentication initialisation failed

2019-10-07 14:38:22       The target was not recognized.

2019-10-07 14:38:22       Attempting keyboard-interactive authentication

2019-10-07 14:38:30       Access granted

2019-10-07 14:38:30       Opening session as main channel

2019-10-07 14:38:30       Opened main channel

2019-10-07 14:38:30       Allocated pty (ospeed 38400bps, ispeed 38400bps)

2019-10-07 14:38:31       Started a shell/command


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssh:connect "Key exchange failed"

Hans Nilsson R (AL/EAB)
I've found it.

The server and client has no common mac algorithm.  I tried to add 'hmac-sha1-96' to Erlang SSH:

$ git diff
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index a85926354e..66d06c3360 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -171,6 +171,7 @@ supported_algorithms(mac) ->
        [{'hmac-sha2-256',    [{macs,hmac}, {hashs,sha256}]},
         {'hmac-sha2-512',    [{macs,hmac}, {hashs,sha512}]},
         {'hmac-sha1',        [{macs,hmac}, {hashs,sha}]},
+        {'hmac-sha1-96',     [{macs,hmac}, {hashs,sha}]},
         {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]},
         {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]}
        ]

I can't test it because I have no ssh server at hand that has that old mac. But it works with erlang client to erlang server.

Could you patch your Erlang client, test and tell me it it works?

/Hans

Från: József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 14:36
Till: Hans Nilsson R <[hidden email]>; Erlang Questions <[hidden email]>
Ämne: RE: ssh:connect "Key exchange failed"
 

Hi Hans,

 

I tried it with several OTP releases up to 21. I have not tried OTP 22.

 

Here is what I received with telnet:

 

QþCb8é¢ê˜x|qâob‚gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dss aes256-cbc,aes192-cbc,aes128-cbc aes256-cbc,aes192-cbc,aes128-cbchmac-sha1-96,hmac-md5-96hmac-sha1-96,hmac-md5-96     none,zlib       none,zlib

                 es,i-default

                             es,i-defaultConnection closed by foreign host.

 

And these are the default algorithms:

 

[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521',

       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256',

       'diffie-hellman-group16-sha512',

       'diffie-hellman-group18-sha512',

       'diffie-hellman-group14-sha256',

       'diffie-hellman-group14-sha1',

       'diffie-hellman-group-exchange-sha1']},

{public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521',

              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256',

              'rsa-sha2-512','ssh-dss']},

{cipher,[{client2server,['[hidden email]',

                          'aes256-ctr','aes192-ctr','[hidden email]',

                          'aes128-ctr','aes128-cbc','3des-cbc']},

          {server2client,['[hidden email]','aes256-ctr',

                          'aes192-ctr','[hidden email]','aes128-ctr',

                          'aes128-cbc','3des-cbc']}]},

{mac,[{client2server,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']},

       {server2client,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']}]},

{compression,[{client2server,[none,'[hidden email]',zlib]},

               {server2client,[none,'[hidden email]',zlib]}]}]

 

5> ssh_transport:supported_algorithms(mac).

[{client2server,['hmac-sha2-256','hmac-sha2-512',

                 'hmac-sha1','AEAD_AES_128_GCM','AEAD_AES_256_GCM']},

{server2client,['hmac-sha2-256','hmac-sha2-512','hmac-sha1',

                 'AEAD_AES_128_GCM','AEAD_AES_256_GCM']}]

 

Thanks,

Jozsef

 

From: Hans Nilsson R <[hidden email]>
Sent: Tuesday, 8 October, 2019 10:47
To: József Bérces <[hidden email]>; Erlang Questions <[hidden email]>
Subject: Sv: ssh:connect "Key exchange failed"

 

The "Key exchange failed" error indicates that there is no agreement in the first phase where different algorithms are negotiated.

 

A common cause is that there are no common cipher algorithm available. For example the AES-256 CBC is not available in Erlang SSH.

 

Which otp version do you use?

What does the function ssh:default_algorithms() return?

What algorithms does the server provide?  (Check by telnet the server, type "SSH-2.0-xxx" and look at the funny characters that is returned. Or post them here)

 

/Hans


Från: [hidden email] <[hidden email]> för József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 09:23
Till: Erlang Questions <[hidden email]>
Ämne: [erlang-questions] ssh:connect "Key exchange failed"

 

Hi,

 

I need to connect to an ssh server but ssh:connect always returns "Key exchange failed". I can connect with KiTTY, and checking the KiTTY logs I suspect that the problem is the 1024-bit RSA key.

 

Could you please check the KiTTY log below what is not supported by the Erlang SSH client?

 

Is there any way to add the missing support to the Erlang SSH client so that I could connect to this server?

 

Thanks,

Jozsef

 

2019-10-07 14:37:58       Starting 42264 from XXXXX@XXXXXX

2019-10-07 14:38:07       Connecting to 10.XXX.XXX.XXX port 22

2019-10-07 14:38:07       We claim version: SSH-2.0-PuTTY_KiTTY

2019-10-07 14:38:07       Server version: SSH-2.0-Sun_SSH_1.1.5

2019-10-07 14:38:07       Using SSH protocol version 2

2019-10-07 14:38:08       Doing Diffie-Hellman group exchange

2019-10-07 14:38:08       Doing Diffie-Hellman key exchange with hash SHA-1

2019-10-07 14:38:08       Server also has ssh-dss host key, but we don't know it

2019-10-07 14:38:08       Host key fingerprint is:

2019-10-07 14:38:08       ssh-rsa 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

2019-10-07 14:38:16       Initialised AES-256 CBC client->server encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 client->server MAC algorithm

2019-10-07 14:38:16       Initialised AES-256 CBC server->client encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 server->client MAC algorithm

2019-10-07 14:38:22       Using SSPI from SECUR32.DLL

2019-10-07 14:38:22       Attempting GSSAPI authentication

2019-10-07 14:38:22       GSSAPI authentication initialisation failed

2019-10-07 14:38:22       The target was not recognized.

2019-10-07 14:38:22       Attempting keyboard-interactive authentication

2019-10-07 14:38:30       Access granted

2019-10-07 14:38:30       Opening session as main channel

2019-10-07 14:38:30       Opened main channel

2019-10-07 14:38:30       Allocated pty (ospeed 38400bps, ispeed 38400bps)

2019-10-07 14:38:31       Started a shell/command


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssh:connect "Key exchange failed"

József Bérces (LA/ETH)

Hi Hans,

 

It works!

 

Many thanks,

Jozsef

 

From: Hans Nilsson R <[hidden email]>
Sent: Tuesday, 8 October, 2019 16:15
To: József Bérces <[hidden email]>; Erlang Questions <[hidden email]>
Subject: Sv: ssh:connect "Key exchange failed"

 

I've found it.

 

The server and client has no common mac algorithm.  I tried to add 'hmac-sha1-96' to Erlang SSH:

 

$ git diff

diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl

index a85926354e..66d06c3360 100644

--- a/lib/ssh/src/ssh_transport.erl

+++ b/lib/ssh/src/ssh_transport.erl

@@ -171,6 +171,7 @@ supported_algorithms(mac) ->

        [{'hmac-sha2-256',    [{macs,hmac}, {hashs,sha256}]},

         {'hmac-sha2-512',    [{macs,hmac}, {hashs,sha512}]},

         {'hmac-sha1',        [{macs,hmac}, {hashs,sha}]},

+        {'hmac-sha1-96',     [{macs,hmac}, {hashs,sha}]},

         {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]},

         {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]}

        ]

 

I can't test it because I have no ssh server at hand that has that old mac. But it works with erlang client to erlang server.

 

Could you patch your Erlang client, test and tell me it it works?

 

/Hans


Från: József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 14:36
Till: Hans Nilsson R <[hidden email]>; Erlang Questions <[hidden email]>
Ämne: RE: ssh:connect "Key exchange failed"

 

Hi Hans,

 

I tried it with several OTP releases up to 21. I have not tried OTP 22.

 

Here is what I received with telnet:

 

QþCb8é¢ê˜x|qâob‚gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dss aes256-cbc,aes192-cbc,aes128-cbc aes256-cbc,aes192-cbc,aes128-cbchmac-sha1-96,hmac-md5-96hmac-sha1-96,hmac-md5-96     none,zlib       none,zlib

                 es,i-default

                             es,i-defaultConnection closed by foreign host.

 

And these are the default algorithms:

 

[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521',

       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256',

       'diffie-hellman-group16-sha512',

       'diffie-hellman-group18-sha512',

       'diffie-hellman-group14-sha256',

       'diffie-hellman-group14-sha1',

       'diffie-hellman-group-exchange-sha1']},

{public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521',

              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256',

              'rsa-sha2-512','ssh-dss']},

{cipher,[{client2server,['[hidden email]',

                          'aes256-ctr','aes192-ctr','[hidden email]',

                          'aes128-ctr','aes128-cbc','3des-cbc']},

          {server2client,['[hidden email]','aes256-ctr',

                          'aes192-ctr','[hidden email]','aes128-ctr',

                          'aes128-cbc','3des-cbc']}]},

{mac,[{client2server,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']},

       {server2client,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']}]},

{compression,[{client2server,[none,'[hidden email]',zlib]},

               {server2client,[none,'[hidden email]',zlib]}]}]

 

5> ssh_transport:supported_algorithms(mac).

[{client2server,['hmac-sha2-256','hmac-sha2-512',

                 'hmac-sha1','AEAD_AES_128_GCM','AEAD_AES_256_GCM']},

{server2client,['hmac-sha2-256','hmac-sha2-512','hmac-sha1',

                 'AEAD_AES_128_GCM','AEAD_AES_256_GCM']}]

 

Thanks,

Jozsef

 

From: Hans Nilsson R <[hidden email]>
Sent: Tuesday, 8 October, 2019 10:47
To: József Bérces <[hidden email]>; Erlang Questions <[hidden email]>
Subject: Sv: ssh:connect "Key exchange failed"

 

The "Key exchange failed" error indicates that there is no agreement in the first phase where different algorithms are negotiated.

 

A common cause is that there are no common cipher algorithm available. For example the AES-256 CBC is not available in Erlang SSH.

 

Which otp version do you use?

What does the function ssh:default_algorithms() return?

What algorithms does the server provide?  (Check by telnet the server, type "SSH-2.0-xxx" and look at the funny characters that is returned. Or post them here)

 

/Hans


Från: [hidden email] <[hidden email]> för József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 09:23
Till: Erlang Questions <[hidden email]>
Ämne: [erlang-questions] ssh:connect "Key exchange failed"

 

Hi,

 

I need to connect to an ssh server but ssh:connect always returns "Key exchange failed". I can connect with KiTTY, and checking the KiTTY logs I suspect that the problem is the 1024-bit RSA key.

 

Could you please check the KiTTY log below what is not supported by the Erlang SSH client?

 

Is there any way to add the missing support to the Erlang SSH client so that I could connect to this server?

 

Thanks,

Jozsef

 

2019-10-07 14:37:58       Starting 42264 from XXXXX@XXXXXX

2019-10-07 14:38:07       Connecting to 10.XXX.XXX.XXX port 22

2019-10-07 14:38:07       We claim version: SSH-2.0-PuTTY_KiTTY

2019-10-07 14:38:07       Server version: SSH-2.0-Sun_SSH_1.1.5

2019-10-07 14:38:07       Using SSH protocol version 2

2019-10-07 14:38:08       Doing Diffie-Hellman group exchange

2019-10-07 14:38:08       Doing Diffie-Hellman key exchange with hash SHA-1

2019-10-07 14:38:08       Server also has ssh-dss host key, but we don't know it

2019-10-07 14:38:08       Host key fingerprint is:

2019-10-07 14:38:08       ssh-rsa 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

2019-10-07 14:38:16       Initialised AES-256 CBC client->server encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 client->server MAC algorithm

2019-10-07 14:38:16       Initialised AES-256 CBC server->client encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 server->client MAC algorithm

2019-10-07 14:38:22       Using SSPI from SECUR32.DLL

2019-10-07 14:38:22       Attempting GSSAPI authentication

2019-10-07 14:38:22       GSSAPI authentication initialisation failed

2019-10-07 14:38:22       The target was not recognized.

2019-10-07 14:38:22       Attempting keyboard-interactive authentication

2019-10-07 14:38:30       Access granted

2019-10-07 14:38:30       Opening session as main channel

2019-10-07 14:38:30       Opened main channel

2019-10-07 14:38:30       Allocated pty (ospeed 38400bps, ispeed 38400bps)

2019-10-07 14:38:31       Started a shell/command


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssh:connect "Key exchange failed"

Hans Nilsson R (AL/EAB)
Great! Thanks for reporting and testing it. I'll add this to maint and master in github.
/Hans

Från: József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 17:27
Till: Hans Nilsson R <[hidden email]>; Erlang Questions <[hidden email]>
Ämne: RE: ssh:connect "Key exchange failed"
 

Hi Hans,

 

It works!

 

Many thanks,

Jozsef

 

From: Hans Nilsson R <[hidden email]>
Sent: Tuesday, 8 October, 2019 16:15
To: József Bérces <[hidden email]>; Erlang Questions <[hidden email]>
Subject: Sv: ssh:connect "Key exchange failed"

 

I've found it.

 

The server and client has no common mac algorithm.  I tried to add 'hmac-sha1-96' to Erlang SSH:

 

$ git diff

diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl

index a85926354e..66d06c3360 100644

--- a/lib/ssh/src/ssh_transport.erl

+++ b/lib/ssh/src/ssh_transport.erl

@@ -171,6 +171,7 @@ supported_algorithms(mac) ->

        [{'hmac-sha2-256',    [{macs,hmac}, {hashs,sha256}]},

         {'hmac-sha2-512',    [{macs,hmac}, {hashs,sha512}]},

         {'hmac-sha1',        [{macs,hmac}, {hashs,sha}]},

+        {'hmac-sha1-96',     [{macs,hmac}, {hashs,sha}]},

         {'AEAD_AES_128_GCM', [{ciphers,aes_128_gcm}]},

         {'AEAD_AES_256_GCM', [{ciphers,aes_256_gcm}]}

        ]

 

I can't test it because I have no ssh server at hand that has that old mac. But it works with erlang client to erlang server.

 

Could you patch your Erlang client, test and tell me it it works?

 

/Hans


Från: József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 14:36
Till: Hans Nilsson R <[hidden email]>; Erlang Questions <[hidden email]>
Ämne: RE: ssh:connect "Key exchange failed"

 

Hi Hans,

 

I tried it with several OTP releases up to 21. I have not tried OTP 22.

 

Here is what I received with telnet:

 

QþCb8é¢ê˜x|qâob‚gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dss aes256-cbc,aes192-cbc,aes128-cbc aes256-cbc,aes192-cbc,aes128-cbchmac-sha1-96,hmac-md5-96hmac-sha1-96,hmac-md5-96     none,zlib       none,zlib

                 es,i-default

                             es,i-defaultConnection closed by foreign host.

 

And these are the default algorithms:

 

[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521',

       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256',

       'diffie-hellman-group16-sha512',

       'diffie-hellman-group18-sha512',

       'diffie-hellman-group14-sha256',

       'diffie-hellman-group14-sha1',

       'diffie-hellman-group-exchange-sha1']},

{public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521',

              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256',

              'rsa-sha2-512','ssh-dss']},

{cipher,[{client2server,['[hidden email]',

                          'aes256-ctr','aes192-ctr','[hidden email]',

                          'aes128-ctr','aes128-cbc','3des-cbc']},

          {server2client,['[hidden email]','aes256-ctr',

                          'aes192-ctr','[hidden email]','aes128-ctr',

                          'aes128-cbc','3des-cbc']}]},

{mac,[{client2server,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']},

       {server2client,['hmac-sha2-256','hmac-sha2-512',

                       'hmac-sha1']}]},

{compression,[{client2server,[none,'[hidden email]',zlib]},

               {server2client,[none,'[hidden email]',zlib]}]}]

 

5> ssh_transport:supported_algorithms(mac).

[{client2server,['hmac-sha2-256','hmac-sha2-512',

                 'hmac-sha1','AEAD_AES_128_GCM','AEAD_AES_256_GCM']},

{server2client,['hmac-sha2-256','hmac-sha2-512','hmac-sha1',

                 'AEAD_AES_128_GCM','AEAD_AES_256_GCM']}]

 

Thanks,

Jozsef

 

From: Hans Nilsson R <[hidden email]>
Sent: Tuesday, 8 October, 2019 10:47
To: József Bérces <[hidden email]>; Erlang Questions <[hidden email]>
Subject: Sv: ssh:connect "Key exchange failed"

 

The "Key exchange failed" error indicates that there is no agreement in the first phase where different algorithms are negotiated.

 

A common cause is that there are no common cipher algorithm available. For example the AES-256 CBC is not available in Erlang SSH.

 

Which otp version do you use?

What does the function ssh:default_algorithms() return?

What algorithms does the server provide?  (Check by telnet the server, type "SSH-2.0-xxx" and look at the funny characters that is returned. Or post them here)

 

/Hans


Från: [hidden email] <[hidden email]> för József Bérces <[hidden email]>
Skickat: den 8 oktober 2019 09:23
Till: Erlang Questions <[hidden email]>
Ämne: [erlang-questions] ssh:connect "Key exchange failed"

 

Hi,

 

I need to connect to an ssh server but ssh:connect always returns "Key exchange failed". I can connect with KiTTY, and checking the KiTTY logs I suspect that the problem is the 1024-bit RSA key.

 

Could you please check the KiTTY log below what is not supported by the Erlang SSH client?

 

Is there any way to add the missing support to the Erlang SSH client so that I could connect to this server?

 

Thanks,

Jozsef

 

2019-10-07 14:37:58       Starting 42264 from XXXXX@XXXXXX

2019-10-07 14:38:07       Connecting to 10.XXX.XXX.XXX port 22

2019-10-07 14:38:07       We claim version: SSH-2.0-PuTTY_KiTTY

2019-10-07 14:38:07       Server version: SSH-2.0-Sun_SSH_1.1.5

2019-10-07 14:38:07       Using SSH protocol version 2

2019-10-07 14:38:08       Doing Diffie-Hellman group exchange

2019-10-07 14:38:08       Doing Diffie-Hellman key exchange with hash SHA-1

2019-10-07 14:38:08       Server also has ssh-dss host key, but we don't know it

2019-10-07 14:38:08       Host key fingerprint is:

2019-10-07 14:38:08       ssh-rsa 1024 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

2019-10-07 14:38:16       Initialised AES-256 CBC client->server encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 client->server MAC algorithm

2019-10-07 14:38:16       Initialised AES-256 CBC server->client encryption

2019-10-07 14:38:16       Initialised HMAC-SHA1-96 server->client MAC algorithm

2019-10-07 14:38:22       Using SSPI from SECUR32.DLL

2019-10-07 14:38:22       Attempting GSSAPI authentication

2019-10-07 14:38:22       GSSAPI authentication initialisation failed

2019-10-07 14:38:22       The target was not recognized.

2019-10-07 14:38:22       Attempting keyboard-interactive authentication

2019-10-07 14:38:30       Access granted

2019-10-07 14:38:30       Opening session as main channel

2019-10-07 14:38:30       Opened main channel

2019-10-07 14:38:30       Allocated pty (ospeed 38400bps, ispeed 38400bps)

2019-10-07 14:38:31       Started a shell/command


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions