[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [SUPPORT REQUEST] Configuration of libssh host key algos on client

Hello Jakub,

thanks for your reply.

It is exactly the other way round. The client does seem to accept only the save algorithms while the server only allows ssh-rsa. To my knowledge, this is due to the server using an older version of libssh (0.7.x) and the client being the newest version.

I am not sure if this impacts your previous suggestion. If not, could you tell me which command I do have to append to which file, please?

Also, I have appended the complete configuration file oft he client (/etc/ssh/sshd_config), if this helps.

Thanks again!

Best regards,
Sebastian

-----Ursprüngliche Nachricht-----
Von: Jakub Jelen <jjelen@xxxxxxxxxx> 
Gesendet: Montag, 25. Mai 2020 18:42
An: libssh@xxxxxxxxxx
Betreff: Re: [SUPPORT REQUEST] Configuration of libssh host key algos on client

NOTICE: This message originated from outside of the company. Please exercise caution when replying or opening links and attachments.




On Mon, 2020-05-25 at 15:52 +0000, Sebastian Kraust wrote:
> Hello libssh-team,
>
> I am currently working on a project using libssh under the hood, but 
> have problems to get it to work. I hope you can provide some help.
>
> Task
> Write a client for an existing server which cannot be 
> changed/configured by me.
>
> Approach
> Connect to the server using the function `ssh_connect`.
>
> Error
> kex error : no match for method server host key algo: server [ssh- 
> rsa], client [ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-
> nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256]
>
> Problem
> Due to the restriction that I can only change the client side, I have 
> to change the client so that it accepts the ssh-rsa algo.
> According to the docs, it should be capable of doing so.
>
> Troubleshooting so far
> Added
> PubkeyAcceptedKeyTypes ssh-ed25519*,ssh-rsa*,ssh-dss*,ecdsa-sha2
> to /etc/ssh/sshd_config to allow every algo on the client side.
>
> I still get the same error. I do believe that the config might not be 
> the correct file to configure libssh.
>
> Can you give me some direction where I have to configure libssh so 
> that the client also accepts the ssh-rsa algorithm? If you need more 
> information, please let me know.

The server is configured to accept only secure algorithms (eddsa, ecdsa and rsa with sha2 -- rsa-sha2-512,rsa-sha2-256). You probably configured your client to use only the old (ssh-rsa), which is not compatible with the new ones (and not considered secure anymore).

If you need some backward compatibility with old server, append the
SHA2 (rsa-sha2-512,rsa-sha2-256) algorithms, otherwise use only them.

Regards,
Jakub

> Thanks for your help in advance.
>
>
> Mit freundlichen Grüßen / Best regards
>
> i.A. Sebastian Kraust
> Forschungsingenieur / Research Engineer
>
> b-plus GmbH
> Osterhofener Str. 13 | 93055 Regensburg Tel +49 941 46624 208 | Fax 
> +49 991 270302 99 sebastian.kraust@xxxxxxxxxx
>
> Besucheradresse / Visitor address:
> b-plus automotive GmbH
> Osterhofener Str. 13, 93055 Regensburg, Germany
>
> Website<http://www.b-plus.com/> | XING< 
> https://www.xing.com/companies/b-plusgmbh> | FACEBOOK< 
> https://www.facebook.com/bplusGmbH/> | LinkedIn< 
> https://www.linkedin.com/company/b-plus-gmbh/>
> [cid:image003.jpg@01D632BD.3948FA20]<
> https://www.b-plus.com/de/news-events/newsansicht/article/b-plus-gehoe
> rt-zu-bayerns-best-50.html
> >
>
> b-plus GmbH
> Geschäftsführer / Managing Director: Dipl.-Ing.(FH) Michael Sieg 
> Gerichtsstand /Handelsregister / Place of jurisdiction / Commercial
> register: HRB 1753 Deggendorf / Germany Diese E-Mail enthält 
> vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie 
> nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
> haben, informieren Sie bitte sofort den Absender und löschen Sie diese 
> Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser 
> Mail ist nicht gestattet.
> This e-mail may contain confidential and/or privileged information.
> If you are not the intended recipient (or have received this e-mail in 
> error) please notify the sender immediately and delete this e- mail. 
> Any unauthorized copying, disclosure or distribution of the contents 
> in this e-mail is strictly forbidden.
>
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.



#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
PubkeyAcceptedKeyTypes ssh-ed25519*,ssh-rsa*,ssh-dss*,ecdsa-sha2*
References:
[SUPPORT REQUEST] Configuration of libssh host key algos on clientSebastian Kraust <sebastian.kraust@xxxxxxxxxx>
Re: [SUPPORT REQUEST] Configuration of libssh host key algos on clientJakub Jelen <jjelen@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org