1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Ubuntu 18.04 -> Ubuntu 20.04 broke libssh2 client

    From Matthew Fleming@21:1/5 to All on Fri Feb 25 05:52:17 2022
    I've also posted to the libssh2-devel group about this, but no answer so far.

    I have a Windows-based client application using libssh2 that was working fine until I moved to a new server running Ubuntu 20.04 LTS, from one running Ubuntu 18.04 LTS. Now libssh2_session_handshake() on the client fails with result code LIBSSH2_ERROR_
    KEX_FAILURE and libssh2_session_last_error() reports "Unable to exchange keys". Auth.log on the server reports:

    sshd[21850]: Unable to negotiate with 104.48.39.9 port 57156: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

    This seems odd for a few reasons. I rebuilt the client app with the latest version of libssh2, and this is supposed to also support diffie-hellman-group-exchange-sha256, but that wasn't offered. Also the version of openssh on the Ubuntu server supposedly
    supports the key exchange methods that were offered but apparently rejected.

    ssh -Q kex on the server reports this:
    ssh -Q kex
    diffie-hellman-group1-sha1
    diffie-hellman-group14-sha1
    diffie-hellman-group14-sha256
    diffie-hellman-group16-sha512
    diffie-hellman-group18-sha512
    diffie-hellman-group-exchange-sha1
    diffie-hellman-group-exchange-sha256
    ecdh-sha2-nistp256
    ecdh-sha2-nistp384
    ecdh-sha2-nistp521
    curve25519-sha256
    curve25519-sha256@libssh.org
    sntrup4591761x25519-sha512@tinyssh.org

    I tried adding
    KexAlgorithms +diffie-hellman-group1-sha
    to /etc/ssh_config (and then restarting ssh and sshd) but it made no difference.

    I can ssh and sftp to the server using various clients without any problem. The issue is only with trying to sftp using libssh2.

    I rebuilt my Windows client app against the latest version of libssh2, but no difference. (I built libssh2 using vckpkg install libssh2.) I also tried building a different way, to link against the WinCNG, as in https://jpassing.com/2021/02/29/2021-03-29-
    building-libssh2-on-windows-lessons-learnt/ but no different.

    I've spent many hours on this and would really appreciate some help. At this point it seems like my only option is to rebuild the app using another library (libssh perhaps), and I'd really like to avoid that.

    Thanks very much in advance.

    Matthew Fleming, MD
    Fleming Dermatopathology
    Milwaukee, WI

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From James Tan@21:1/5 to mgf...@gmail.com on Fri Jul 8 16:44:04 2022
    On Friday, February 25, 2022 at 5:52:19 AM UTC-8, mgf...@gmail.com wrote:
    I've also posted to the libssh2-devel group about this, but no answer so far.

    I have a Windows-based client application using libssh2 that was working fine until I moved to a new server running Ubuntu 20.04 LTS, from one running Ubuntu 18.04 LTS. Now libssh2_session_handshake() on the client fails with result code LIBSSH2_ERROR_
    KEX_FAILURE and libssh2_session_last_error() reports "Unable to exchange keys". Auth.log on the server reports:

    sshd[21850]: Unable to negotiate with 104.48.39.9 port 57156: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

    This seems odd for a few reasons. I rebuilt the client app with the latest version of libssh2, and this is supposed to also support diffie-hellman-group-exchange-sha256, but that wasn't offered. Also the version of openssh on the Ubuntu server
    supposedly supports the key exchange methods that were offered but apparently rejected.

    ssh -Q kex on the server reports this:
    ssh -Q kex
    diffie-hellman-group1-sha1
    diffie-hellman-group14-sha1
    diffie-hellman-group14-sha256
    diffie-hellman-group16-sha512
    diffie-hellman-group18-sha512
    diffie-hellman-group-exchange-sha1
    diffie-hellman-group-exchange-sha256
    ecdh-sha2-nistp256
    ecdh-sha2-nistp384
    ecdh-sha2-nistp521
    curve25519-sha256
    curve255...@libssh.org
    sntrup4591761...@tinyssh.org

    I tried adding
    KexAlgorithms +diffie-hellman-group1-sha
    to /etc/ssh_config (and then restarting ssh and sshd) but it made no difference.

    I can ssh and sftp to the server using various clients without any problem. The issue is only with trying to sftp using libssh2.

    I rebuilt my Windows client app against the latest version of libssh2, but no difference. (I built libssh2 using vckpkg install libssh2.) I also tried building a different way, to link against the WinCNG, as in https://jpassing.com/2021/02/29/2021-03-
    29-building-libssh2-on-windows-lessons-learnt/ but no different.

    I've spent many hours on this and would really appreciate some help. At this point it seems like my only option is to rebuild the app using another library (libssh perhaps), and I'd really like to avoid that.

    Thanks very much in advance.

    Matthew Fleming, MD
    Fleming Dermatopathology
    Milwaukee, WI

    You probably have this figured out already, in case not,

    Check /var/log/auth.log, if you see "userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]" then take a look at this https://access.redhat.com/discussions/5251241

    james

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)