[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: AW: [SUPPORT REQUEST] Configuration of libssh host key algos on client


Hello,

thanks for your help. Re-enabling the ssh-rsa via your command works like a charm. I will definitely try to update the server as soon as I can, though.

Thanks fort he support! This issue is resolved.

Have a nice day!

Best regards,
Sebastian

-----Ursprüngliche Nachricht-----
Von: Jakub Jelen <jjelen@xxxxxxxxxx> 
Gesendet: Dienstag, 26. Mai 2020 09:20
An: libssh@xxxxxxxxxx
Betreff: Re: AW: [SUPPORT REQUEST] Configuration of libssh host key algos on client

NOTICE: This message originated from outside of the company. Please exercise caution when replying or opening links and attachments.




On Mon, 2020-05-25 at 17:00 +0000, Sebastian Kraust wrote:
> Hello Jakub,
>
> thanks for your reply.
>
> It is exactly the other way round. The client does seem to accept only 
> the save algorithms while the server only allows ssh-rsa. To my 
> knowledge, this is due to the server using an older version of libssh
> (0.7.x) and the client being the newest version.

Hello,
You are indeed right. Sorry for confusion. The old 0.7.x libssh version does not support the RSA SHA2 extension and if you are using unreleased master of libssh, it already disabled the use of ssh-rsa (sha1) by default.

In the client, you can re-enable the ssh-rsa by adding to
~/.ssh/config:

  Host
    HostkeyAlgorithms ssh-rsa

but preferred way would be updating the server to something newer, supporting SHA2 extension or using different hostkey (EC) before the server can be updated.

Best regards,
Jakub

> I am not sure if this impacts your previous suggestion. If not, could 
> you tell me which command I do have to append to which file, please?
>
> Also, I have appended the complete configuration file oft he client 
> (/etc/ssh/sshd_config), if this helps.
>
> Thanks again!
>
> Best regards,
> Sebastian
>
> -----Ursprüngliche Nachricht-----
> Von: Jakub Jelen <jjelen@xxxxxxxxxx>
> Gesendet: Montag, 25. Mai 2020 18:42
> An: libssh@xxxxxxxxxx
> Betreff: Re: [SUPPORT REQUEST] Configuration of libssh host key algos 
> on client
>
> NOTICE: This message originated from outside of the company. Please 
> exercise caution when replying or opening links and attachments.
>
>
>
>
> On Mon, 2020-05-25 at 15:52 +0000, Sebastian Kraust wrote:
> > Hello libssh-team,
> >
> > I am currently working on a project using libssh under the hood, but 
> > have problems to get it to work. I hope you can provide some help.
> >
> > Task
> > Write a client for an existing server which cannot be 
> > changed/configured by me.
> >
> > Approach
> > Connect to the server using the function `ssh_connect`.
> >
> > Error
> > kex error : no match for method server host key algo: server [ssh- 
> > rsa], client [ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-
> > nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256]
> >
> > Problem
> > Due to the restriction that I can only change the client side, I 
> > have to change the client so that it accepts the ssh-rsa algo.
> > According to the docs, it should be capable of doing so.
> >
> > Troubleshooting so far
> > Added
> > PubkeyAcceptedKeyTypes ssh-ed25519*,ssh-rsa*,ssh-dss*,ecdsa-sha2
> > to /etc/ssh/sshd_config to allow every algo on the client side.
> >
> > I still get the same error. I do believe that the config might not 
> > be the correct file to configure libssh.
> >
> > Can you give me some direction where I have to configure libssh so 
> > that the client also accepts the ssh-rsa algorithm? If you need more 
> > information, please let me know.
>
> The server is configured to accept only secure algorithms (eddsa, 
> ecdsa and rsa with sha2 -- rsa-sha2-512,rsa-sha2-256). You probably 
> configured your client to use only the old (ssh-rsa), which is not 
> compatible with the new ones (and not considered secure anymore).
>
> If you need some backward compatibility with old server, append the
> SHA2 (rsa-sha2-512,rsa-sha2-256) algorithms, otherwise use only them.
>
> Regards,
> Jakub
>
> > Thanks for your help in advance.
> >
> >
> > Mit freundlichen Grüßen / Best regards
> >
> > i.A. Sebastian Kraust
> > Forschungsingenieur / Research Engineer
> >
> > b-plus GmbH
> > Osterhofener Str. 13 | 93055 Regensburg Tel +49 941 46624 208 | Fax
> > +49 991 270302 99 sebastian.kraust@xxxxxxxxxx
> >
> > Besucheradresse / Visitor address:
> > b-plus automotive GmbH
> > Osterhofener Str. 13, 93055 Regensburg, Germany
> >
> > Website<http://www.b-plus.com/> | XING<
> > https://www.xing.com/companies/b-plusgmbh> | FACEBOOK<
> > https://www.facebook.com/bplusGmbH/> | LinkedIn<
> > https://www.linkedin.com/company/b-plus-gmbh/>
> > [cid:image003.jpg@01D632BD.3948FA20]<
> > https://www.b-plus.com/de/news-events/newsansicht/article/b-plus-gehoe
> > rt-zu-bayerns-best-50.html
> >
> > b-plus GmbH
> > Geschäftsführer / Managing Director: Dipl.-Ing.(FH) Michael Sieg
> > Gerichtsstand /Handelsregister / Place of jurisdiction / Commercial
> > register: HRB 1753 Deggendorf / Germany Diese E-Mail enthält
> > vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
> > nicht der richtige Adressat sind oder diese E-Mail irrtümlich
> > erhalten
> > haben, informieren Sie bitte sofort den Absender und löschen Sie
> > diese
> > Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe
> > dieser
> > Mail ist nicht gestattet.
> > This e-mail may contain confidential and/or privileged information.
> > If you are not the intended recipient (or have received this e-mail
> > in
> > error) please notify the sender immediately and delete this e-
> > mail.
> > Any unauthorized copying, disclosure or distribution of the
> > contents
> > in this e-mail is strictly forbidden.
> >
> --
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
>
>
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.



Follow-Ups:
Re: [SUPPORT REQUEST] Configuration of libssh host key algos on clientAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org