[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [EXTERNAL] Re: ssh_options_set not working?


I managed to get the pipeline to run but the existing merge was still blocked, so I cancelled it and create another. Hopefully that works and the code is ok!

Definitely a learning curve for new users

-----Original Message-----
From: Jakub Jelen <jjelen@xxxxxxxxxx> 
Sent: 31 May 2023 16:02
To: libssh@xxxxxxxxxx
Subject: Re: [EXTERNAL] Re: ssh_options_set not working?

On 5/31/23 14:49, Kerrison, Adam wrote:
> Well I've forked it and tried to create a merge but after asking for 
> my credit card (really!?) gitlab thinks I am robot. I've given up for 
> now, I don't have enough time to fight it. Maybe I will look at it 
> again later

I see your merge request, but only one commit from that. Looks like you either deleted your fork or changed it to the private?:

https://urldefense.com/v3/__https://gitlab.com/libssh/libssh-mirror/-/merge_requests/378__;!!PEZBYkTc!f3u84gsxMpOapeoSlrhPkCbcBUEukcfCaMTwZ2VaRY26d-UuewqBEFVZE8nzMsN6FdKUrhXzUolrU5zh$ 

For this you should be able to work without verifying account with your credit card.. but I have account for years so I am not sure about the process.

The other option is to send the patches here to the mailing list, if it would be more comfortable for you.

> Gitlab seems a hell of a lot more work than github ... sigh

Unfortunately, it looks like that is the case for new users.

Jakub

> -----Original Message-----
> From: Jakub Jelen <jjelen@xxxxxxxxxx>
> Sent: 31 May 2023 11:59
> To: libssh@xxxxxxxxxx
> Subject: Re: [EXTERNAL] Re: ssh_options_set not working?
> 
> On 5/30/23 17:25, Kerrison, Adam wrote:
>> I've made it work 😊  I need to set the server to client options, not the client to server ones (obviously). It’s a bit fiddly as there is no way for code to get the list of support and default methods. I found functions to do this in kex.c but these symbols aren't exposed in the .so/DLL, not sure how to do that.
> 
> Good to hear that! Yeah, there can be different lists for different directions for ciphers and hmacs, but in most of the cases it really makes sense to set both of the directions to the same algorithms (wondering if we should not have an API (without the _C_S/_S_C suffixes) to set both of them to avoid such confusion).
> 
>> I've created a git clone and added my ssh_options_get() changes to 
>> branch - how do I create a PR? When I try to push I get a 403. I 
>> might have some other little changes too so being able to push would 
>> be handy
> 
> You will need to fork the repository on gitlab and push to your fork and then open a merge request (the same as pull request on github) against the main repository:
> 
> https://urldefense.com/v3/__https://gitlab.com/libssh/libssh-mirror__;
> !!PEZBYkTc!ZMTfG7v0rQO-rpXIO7giiW03FU7rWL7G_vhWrcoPaEv3r-mE7VtMgBj_5m7
> kcLHamC9jn3utIicgSxzB$
> 
> Regards,
> Jakub
> 
>> Thanks
>>
>> Adam
>>
>> -----Original Message-----
>> From: Kerrison, Adam
>> Sent: 30 May 2023 12:11
>> To: libssh@xxxxxxxxxx
>> Subject: RE: [EXTERNAL] Re: ssh_options_set not working?
>>
>> I am using libssh 0.10.5 on Windows. I've confirmed it was built with WITH_GEX=1 (that’s the default and we've turned it off). I've added verbose logging at the function level (see below) and tried also setting SSH_OPTIONS_HOSTKEYS too.
>>
>> I also tried implementing support for these options in ssh_options_get() which works but the values are initialized to NULL and the existing code treats that as an error ☹ My code works to retrieve the value after it has been set with ssh_options_set() (you can see that in the log as NEW KEYEX). I don't know where the values in the session struct would actually get set to handle the initial NULL value.
>>
>> Here is the log:
>>
>> SETTING KEYEX
>> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nis
>> t 
>> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diff
>> i 
>> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-he
>> l
>> lman-group1-sha1,diffie-hellman-group-exchange-sha1
>> NEW KEYEX =
>> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nis
>> t 
>> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diff
>> i 
>> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-he
>> l
>> lman-group1-sha1,diffie-hellman-group-exchange-sha1
>> SETTING CIPHERS
>> chacha20-poly1305,aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx,aes25
>> 6 
>> -ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
>> SETTING HMACS
>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1
>> -
>> etm@xxxxxxxxxxx,hmac-sha2-512,hmac-sha2-256,hmac-sha1
>> SETTING HOST_KEYS
>> ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp5
>> 2 1,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
>> [2023/05/30 12:06:28.416222, 2] ssh_connect:  libssh 0.10.5 (c)
>> 2003-2023 Aris Adamantiadis, Andreas Schneider and libssh 
>> contributors. Distributed under the LGPL, please refer to COPYING 
>> file for information about your rights, using threading 
>> threads_winlock
>> [2023/05/30 12:06:28.416222, 3] getai:  host 10.49.32.30 matches an 
>> IP address
>> [2023/05/30 12:06:28.417199, 2] ssh_socket_connect:  Nonblocking 
>> connection socket: 296
>> [2023/05/30 12:06:28.423080, 2] ssh_connect:  Socket connecting, now 
>> waiting for the callbacks to work
>> [2023/05/30 12:06:28.423080, 3] ssh_connect:  current state : 1
>> [2023/05/30 12:06:28.447504, 4] ssh_socket_pollcallback:  Poll 
>> callback on socket 296 (POLLOUT ), out buffer 0
>> [2023/05/30 12:06:28.447504, 3] ssh_socket_pollcallback:  Received 
>> POLLOUT in connecting state
>> [2023/05/30 12:06:28.448483, 1] socket_callback_connected:  Socket 
>> connection callback: 1 (0)
>> [2023/05/30 12:06:28.455678, 3] ssh_client_connection_callback:
>> session_state=2
>> [2023/05/30 12:06:28.456656, 3] ssh_socket_unbuffered_write:  
>> Enabling POLLOUT for socket
>> [2023/05/30 12:06:28.458607, 4] ssh_socket_unbuffered_write:  wrote 
>> 23
>> [2023/05/30 12:06:28.458607, 3] ssh_connect:  current state : 2
>> [2023/05/30 12:06:28.463486, 4] ssh_socket_pollcallback:  Poll 
>> callback on socket 296 (POLLOUT ), out buffer 0
>> [2023/05/30 12:06:28.463486, 3] ssh_connect:  current state : 2
>> [2023/05/30 12:06:28.479142, 4] ssh_socket_pollcallback:  Poll 
>> callback on socket 296 (POLLIN ), out buffer 0
>> [2023/05/30 12:06:28.480078, 4] ssh_socket_unbuffered_read:  read 25
>> [2023/05/30 12:06:28.480078, 3] callback_receive_banner:  Received
>> banner: SSH-1.99-OpenSSH_3.6.1p2
>> [2023/05/30 12:06:28.486309, 3] ssh_client_connection_callback:
>> session_state=3
>> [2023/05/30 12:06:28.486910, 2] ssh_client_connection_callback:  SSH 
>> server banner: SSH-1.99-OpenSSH_3.6.1p2
>> [2023/05/30 12:06:28.486910, 2] ssh_analyze_banner:  Analyzing banner:
>> SSH-1.99-OpenSSH_3.6.1p2
>> [2023/05/30 12:06:28.487886, 2] ssh_analyze_banner:  We are talking 
>> to an OpenSSH server version: 3.6 (30600)
>> [2023/05/30 12:06:28.488862, 3] ssh_client_select_hostkeys:  Order of wanted host keys: "ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
>> [2023/05/30 12:06:28.490854, 1] ssh_known_hosts_read_entries:  Failed 
>> to open the known_hosts file 'C:\Users\adam/.ssh/known_hosts': No 
>> such file or directory
>> [2023/05/30 12:06:28.490854, 1] ssh_known_hosts_read_entries:  Failed 
>> to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file 
>> or directory
>> [2023/05/30 12:06:28.495720, 3] ssh_client_select_hostkeys:  No key found in known_hosts; changing host key method to "ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
>> [2023/05/30 12:06:28.495720, 4] ssh_send_kex:  Sending KEXINIT 
>> packet, first_kex_packet_follows = 0
>> [2023/05/30 12:06:28.496670, 4] ssh_list_kex:  kex algos:
>> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nis
>> t 
>> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diff
>> i 
>> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-he
>> l lman-group1-sha1,diffie-hellman-group-exchange-sha1,ext-info-c
>> [2023/05/30 12:06:28.496670, 4] ssh_list_kex:  server host key algo:
>> ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp5
>> 2
>> 1,rsa-sha2-512,rsa-sha2-256,ssh-rsa
>> [2023/05/30 12:06:28.497646, 4] ssh_list_kex:  encryption
>> client->server:
>> aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx,aes256-ctr,aes192-ctr,a
>> e s128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
>> [2023/05/30 12:06:28.497646, 4] ssh_list_kex:  encryption
>> server->client:
>> chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-gcm@opens
>> s h.com,aes256-ctr,aes192-ctr,aes128-ctr,
>> [2023/05/30 12:06:28.498621, 4] ssh_list_kex:  mac algo
>> client->server:
>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1
>> -
>> etm@xxxxxxxxxxx,hmac-sha2-512,hmac-sha2-256,hmac-sha1
>> [2023/05/30 12:06:28.498621, 4] ssh_list_kex:  mac algo
>> server->client:
>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2
>> -
>> 256,hmac-sha2-512
>> [2023/05/30 12:06:28.503515, 4] ssh_list_kex:  compression algo
>> client->server: none,zlib@xxxxxxxxxxx
>> [2023/05/30 12:06:28.503515, 4] ssh_list_kex:  compression algo
>> server->client: none,zlib@xxxxxxxxxxx
>> [2023/05/30 12:06:28.504482, 4] ssh_list_kex:  languages client->server:
>> [2023/05/30 12:06:28.504482, 4] ssh_list_kex:  languages server->client:
>> [2023/05/30 12:06:28.505454, 3] ssh_socket_unbuffered_write:  
>> Enabling POLLOUT for socket
>> [2023/05/30 12:06:28.505454, 4] ssh_socket_unbuffered_write:  wrote
>> 936
>> [2023/05/30 12:06:28.506430, 3] packet_send2:  packet: wrote 
>> [type=20, len=932, padding_size=11, comp=920, payload=920]
>> [2023/05/30 12:06:28.506430, 3] ssh_send_kex:  SSH_MSG_KEXINIT sent
>> [2023/05/30 12:06:28.507406, 3] ssh_connect:  current state : 4
>> [2023/05/30 12:06:28.507406, 4] ssh_socket_pollcallback:  Poll 
>> callback on socket 296 (POLLOUT ), out buffer 0
>> [2023/05/30 12:06:28.507406, 4] ssh_socket_pollcallback:  sending 
>> control flow event
>> [2023/05/30 12:06:28.508382, 4]
>> ssh_packet_socket_controlflow_callback:  sending 
>> channel_write_wontblock callback
>> [2023/05/30 12:06:28.508382, 3] ssh_connect:  current state : 4
>> [2023/05/30 12:06:28.535711, 4] ssh_socket_pollcallback:  Poll 
>> callback on socket 296 (POLLIN ), out buffer 0
>> [2023/05/30 12:06:28.536686, 4] ssh_socket_unbuffered_read:  read 544
>> [2023/05/30 12:06:28.537664, 3] ssh_packet_socket_callback:  packet:
>> read type 20 [len=540,padding=9,comp=530,payload=530]
>> [2023/05/30 12:06:28.537664, 3] ssh_packet_process:  Dispatching 
>> handler for packet type 20
>> [2023/05/30 12:06:28.539616, 4] ssh_packet_kexinit:  KEXINIT received
>> [2023/05/30 12:06:28.539616, 3] ssh_client_connection_callback:
>> session_state=5
>> [2023/05/30 12:06:28.540589, 4] ssh_list_kex:  kex algos:
>> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>> [2023/05/30 12:06:28.540589, 4] ssh_list_kex:  server host key algo:
>> ssh-rsa,ssh-dss
>> [2023/05/30 12:06:28.541568, 4] ssh_list_kex:  encryption
>> client->server:
>> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25
>> 6
>> -cbc,rijndael-cbc@xxxxxxxxxxxxxx
>> [2023/05/30 12:06:28.541568, 4] ssh_list_kex:  encryption
>> server->client:
>> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25
>> 6
>> -cbc,rijndael-cbc@xxxxxxxxxxxxxx
>> [2023/05/30 12:06:28.541568, 4] ssh_list_kex:  mac algo
>> client->server:
>> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha
>> 1
>> -96,hmac-md5-96
>> [2023/05/30 12:06:28.542542, 4] ssh_list_kex:  mac algo
>> server->client:
>> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha
>> 1
>> -96,hmac-md5-96
>> [2023/05/30 12:06:28.542542, 4] ssh_list_kex:  compression algo
>> client->server: none,zlib
>> [2023/05/30 12:06:28.542542, 4] ssh_list_kex:  compression algo
>> server->client: none,zlib
>> [2023/05/30 12:06:28.543518, 4] ssh_list_kex:  languages client->server:
>> [2023/05/30 12:06:28.543518, 4] ssh_list_kex:  languages server->client:
>> [2023/05/30 12:06:28.544493, 1] ssh_kex_select_methods:  kex error :
>> no match for method encryption server->client: server
>> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
>> 5 6-cbc,rijndael-cbc@xxxxxxxxxxxxxx], client 
>> [chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-gcm@open
>> s sh.com,aes256-ctr,aes192-ctr,aes128-ctr,]
>> [2023/05/30 12:06:28.544493, 3] ssh_connect:  current state : 9
>>
>> -----Original Message-----
>> From: Jakub Jelen <jjelen@xxxxxxxxxx>
>> Sent: 29 May 2023 11:22
>> To: libssh@xxxxxxxxxx
>> Subject: [EXTERNAL] Re: ssh_options_set not working?
>>
>> On 5/26/23 17:17, Kerrison, Adam wrote:
>>> Hello
>>>
>>> I am trying to enable all supported key exchange methods, ciphers 
>>> and HMACs to handle connecting to some truly ancient servers. The setup code is:
>>>
>>>      ssh_session session = ssh_new();
>>>
>>>      fprintf(stderr, "SETTING KEYEX %s\n", ALL_KEYEX_METHODS);
>>>
>>>     if(ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE,
>>> ALL_KEYEX_METHODS) < 0) {
>>>
>>>       fprintf(stderr, "FAILED TO SET KEYEX\n");
>>>
>>>       }
>>>
>>>       fprintf(stderr, "SETTING CIPHERS %s\n", ALL_CIPHERS);
>>>
>>>        if(ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S,
>>> ALL_CIPHERS) <
>>> 0) {
>>>
>>>          fprintf(stderr, "FAILED TO SET CIPHERS\n");
>>>
>>>      }
>>>
>>>      fprintf(stderr, "SETTING HMACS %s\n", ALL_HMACS);
>>>
>>>      if(ssh_options_set(session, SSH_OPTIONS_HMAC_C_S, ALL_HMACS) < 
>>> 0) {
>>>
>>>        fprintf(stderr, "FAILED TO SET HMACS\n");
>>>
>>>      }
>>>
>>> Where the ALL_* values are constants defining all the supports 
>>> things (see below)
>>>
>>> When I run the code my connection fails. The output is:
>>>
>>> SETTING KEYEX
>>> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-ni
>>> s
>>> t
>>> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,dif
>>> f
>>> i
>>> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-h
>>> e
>>> l
>>> lman-group1-sha1,diffie-hellman-group-exchange-sha1
>>>
>>> SETTING CIPHERS
>>> chacha20-poly1305,aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx,aes2
>>> 5
>>> 6
>>> -ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
>>>
>>> SETTING HMACS
>>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha
>>> 1
>>> -
>>> etm@xxxxxxxxxxx,hmac-sha2-512,hmac-sha2-256,hmac-sha1
>>>
>>> ERROR: failed to connect: kex error : no match for method kex algos:
>>> server
>>> [diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1],
>>> client
>>> [curve25519-sha256,curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,e
>>> c
>>> d
>>> h-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha
>>> 2
>>> 5
>>> 6,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie
>>> -
>>> h
>>> ellman-group18-sha512] (code 2)
>>>
>>> So the ssh_options_set() calls aren’t failing but the values don’t 
>>> seem to have been applied as the client keyex list doesn’t include 
>>> the diffie-helman SHA1 methods that I set?
>>
>> This API ignores any unknown algorithms, for example to avoid failing hard when parsing openssh configuration files. I do not think there is an API to retrieve the enabled algorithms, but the ssh_options_get() could be very simply extended to return the list of enabled algorithms for double-checking this. Feel free to propose the merge request!
>>
>> The two algorithms supported by the server [diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1] are supported by libssh master, but they are not enabled by default in current versions. But using the ssh_options_set() should enable them.
>>
>> The list of the algorithms you list in the outputs also differ both in content and order which sounds like the setting of the algorithms was not effective for some reason.
>>
>>> What am I doing wrong here?
>>
>> What libssh version are you using? Can you bump the log verbosity and check the logs for some more information?
>>
>> Regards,
>> --
>> Jakub Jelen
>> Crypto Team, Security Engineering
>> Red Hat, Inc.
>>
>>
> 
> --
> Jakub Jelen
> Crypto Team, Security Engineering
> Red Hat, Inc.
> 
> 

--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.



References:
ssh_options_set not working?"Kerrison, Adam" <Adam_Kerrison@xxxxxxx>
Re: ssh_options_set not working?Jakub Jelen <jjelen@xxxxxxxxxx>
RE: [EXTERNAL] Re: ssh_options_set not working?"Kerrison, Adam" <Adam_Kerrison@xxxxxxx>
RE: [EXTERNAL] Re: ssh_options_set not working?"Kerrison, Adam" <Adam_Kerrison@xxxxxxx>
Re: [EXTERNAL] Re: ssh_options_set not working?Jakub Jelen <jjelen@xxxxxxxxxx>
RE: [EXTERNAL] Re: ssh_options_set not working?"Kerrison, Adam" <Adam_Kerrison@xxxxxxx>
Re: [EXTERNAL] Re: ssh_options_set not working?Jakub Jelen <jjelen@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org