[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Help: Create a client to connect to SSH server, but it does not support ssh-dss


On 8/24/20 9:39 AM, Anderson Sasaki wrote:


----- Original Message -----
From: "QUANSHENG CHANG" <laurence.chang@xxxxxxxxxxxxxxxxxxxxx>
To: libssh@xxxxxxxxxx
Sent: Friday, August 21, 2020 11:42:31 PM
Subject: Help: Create a client to connect to SSH server, but it does not support ssh-dss

Hi Everyone,

The  libshh_0.9.3.2 was installed by vcpkg on my computer. The Visual C++
2015 is being used as developing tool. Platform: Windows 10 64bit.

I am writing a client program which connect to different SSH servers. It
works for most of servers, but one server I got error message like:

no match for method server host key algo: server [ssh-dss], client
[ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa]

I added  ssh_options_set(my_ssh_session, SSH_OPTIONS_HOSTKEYS,
"ssh-dss,ecdh-sha2-nistp256"); in my code, but it still not work.

Any suggestion, how to make the libssh support ssh-dss ?

Hello,

I believe libssh in vcpkg is compiled using mbed TLS as the crypto back end. Unfortunately, mbed TLS doesn't support DSA.
You can compile libssh using OpenSSL as the backend to have ssh-dss support.

If you have control over that server, I strongly suggest updating it to support modern algorithms.

Or even better update server with some more secure host keys (or talk with the server administrator to do so).

DSA security is really questionable and you should not depend on it in any for any production servers. Additionally, it will be disabled in the future libssh versions out of the box for all crypto backends.

Regards,
--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.


Follow-Ups:
RE: Help: Create a client to connect to SSH server, but it does not support ssh-dss"CHANG, QUANSHENG" <laurence.chang@xxxxxxxxxxxxxxxxxxxxx>
References:
Help: Create a client to connect to SSH server, but it does not support ssh-dss"CHANG, QUANSHENG" <laurence.chang@xxxxxxxxxxxxxxxxxxxxx>
Re: Help: Create a client to connect to SSH server, but it does not support ssh-dssAnderson Sasaki <ansasaki@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org