failure to connect

[tigermick]

Hi,

I use connectbot for a long time, but recently, i have reinstall another android rom on my phone and I can't connected again to my server ...
my computer can connect to my server with ssh command again but connectbot on my phone don't want.

When I tap to connect to my server I have this message :
connection lost
key exchange was not finished, connection is closed.
the server hostkey was not accepted by the verifier callback
unknown key type rsa-sha2-512

My phone is nexus 6 with e rom and connectbot version is the last version on fdroid.

My server work with debian stretch and official ssh version in official repository with default config

Before I reinstall android on my phone, connectbot worked like a charm on lineageos
thank you for your help

[sherwoac]

I'm having the same issue. Android v8, connect bot 1.9.5.

[kodion]

Same issue. Android v9, Connect bot 1.9.5

[softwarecreations]

A temporary workaround is to use a different type, such as ed25519

[dchenbecker]

I tried ed25519 and still get the error

[softwarecreations]

I've not yet done comprehensive testing of all possible configurations. But it's definitely working for me.
In my case I removed the RSA key.
Then configured sshd to only use the ed25519 key.

/etc/ssh/sshd_config

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Remember to run service ssh restart

EDIT

Okay I did another test now.

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Also works, in the case where perhaps you want to connect from connectbot with ed25519 and also from a proper linux ssh client with RSA.
When you connect from a linux ssh client, just use -o HostKeyAlgorithms=ssh-rsa

EDIT2
This is quite a hassle.
Now for all the servers you want to be able to connect to with ConnectBot, you need to generate/enable a ED25519 key.
Then edit all of your SSH connect scripts to include the above option if you still want them to use RSA by default.
Alternatively you can add HostKeyAlgorithms=ssh-rsa to ~/.ssh/config
More crap to remember to do when you reinstall.

[ridobe]

The above worked. Thanks @softwarecreations

To sum up what you did and how I implemented it:

• Create new ed25519 key on connectbot

• Append it to authorized_keys on server(s)

• Add "HostKey /etc/ssh/ssh_host_ed25519_key" to sshd_config on servers

• Add "HostKeyAlgorithms=ssh-rsa" to config files for linux clients (to force it)

[lshl]

Any update on this issue?
I would rather not use any elliptic curve encryption of any kind (see here for some considerations).

Thanks.

[ridobe]

@lshl I have moved over to connectbot's fork termbot. It supports both rsa and Yubikey.

[lshl]

Thanks a lot @ridobe. Works like a charm.

[gldarocha]

The SteelCloud security package that was implemented on my servers uses up to three factor authentication. In this case you can easily use the "ed25519 key". Contact us: contato@steelcloud.com.br

[nmz787]

Happens here too on pixel2 with Android 10

[horgh]

I used this as a workaround and it worked well: hwsecurity-sdk#17 (comment)

[SynecticLabs]

Suggesting people use ed25519 keys over RSA keys is not a solution here. There is a very good reason everybody uses RSA for sshd. I also went with the termbot suggestion. Works great. Thanks for that, @ridobe.

[AlexanderS]

This should be fixed by 90f7894 because the newer sshlib contains this commit: connectbot/sshlib@e6a49c5

[rhardy613]

@AlexanderS I just tested ConnectBot-git-v1.9.7-7-g5a317a6e-google.apk which seemed to be the latest prerelease hoping that this would make ConnectBot usable again. Unfortunately I'm still SOL due to Key exchange failure with the Unknown hostkey type rsa-sha2-512. Is there something else needed to be able to use this hostkey type? Other file size, I'm still missing the difference between the oss vs. google builds. I suspect this is because the latest 1.9.7 contains sshlib 2.2.13 but 2.2.14 is needed for things to work properly. Any chance someone can post a build of connectbot using sshlib 2.2.14 which may have my issue fixed?

[kruton]

@rhardy613 could you give some information about the server you're connecting to? Linux distribution, OpenSSH server version, any special changes to sshd_config that you might have made? I can add it to the regression tests.

[rhardy613]

The problem seems to present itself with old systems or ssh servers with minimal support. Looking through other tickets I found a few other instances with I suspect the same problem. connectbot is working with recent systems but not systems which do not support the latest hostkeys. Ubuntu 16.04, Openssh 1:7.2p2-4ubuntu2.10. The servers support only these host key types: rsa-sha2-256,rsa-sha2-512. Oddly it started working once I upped the verbosity of the openssh server from a default INFO to VERBOSE to try to debug getting connectbot to connect today. I realize this make for the worst kind of problem report...

[virtualdj]

@kruton I noticed the same issue when trying to connect to a QNAP NAS. Neither ConnectBot 1.9.6 from the Play Store nor Termbot (like suggested above) work on Android 8.1.

I can post some interesting things, however, maybe they can be helpful to troubleshoot.

Settings

The QNAP NAS has its own SSH server (a customized version) running on port 22:

OpenSSH_8.0p1, OpenSSL 1.0.2s 28 May 2019

However this instance doesn't output debug data, so I launched another instance on port 52221 (internal), then I mapped with port forwarding on my router the 52221 LAN into 52201 WAN (external). I've created 3 different connections in ConnectBot:

Attempt 1: external IP on debug server

I've tried using the 3rd connection, the one that tries on the public IP, and this is the result:

At the same time, the debug on the server says (I've masked the keys):

[~] # /usr/sbin/sshd -p 52221 -D -d -e -f /etc/config/ssh/sshd_config
debug1: sshd version OpenSSH_8.0, OpenSSL 1.0.2s  28 May 2019
debug1: private host key #0: ssh-rsa SHA256:******************************************o
debug1: private host key #1: ssh-dss SHA256:******************************************Y
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='52221'
debug1: rexec_argv[3]='-D'
debug1: rexec_argv[4]='-d'
debug1: rexec_argv[5]='-e'
debug1: rexec_argv[6]='-f'
debug1: rexec_argv[7]='/etc/config/ssh/sshd_config'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 52221 on 0.0.0.0.
Server listening on 0.0.0.0 port 52221.
debug1: Bind to port 52221 on ::.
Server listening on :: port 52221.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_8.0, OpenSSL 1.0.2s  28 May 2019
debug1: private host key #0: ssh-rsa SHA256:******************************************o
debug1: private host key #1: ssh-dss SHA256:******************************************Y
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.0.1 port 43380 on 192.168.0.20 port 52221
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version TrileadSSH2Java_213
debug1: no match: TrileadSSH2Java_213
debug1: permanently_set_uid: 110/65534 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none [preauth]
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Connection closed by 192.168.0.1 port 43380 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 32178

As you can see, it's the client (ConnectBot) that disconnects and the connection is coming from the router (192.168.0.1). If I use Putty on the PC it works; on Android, Termbot DOES NOT work (same error than ConnectBot), while JuiceSSH and Termux WORK after asking about the fingerprint of the host key.

Attempt 2: internal IP on debug server

I've tried then the 2nd connection, with the smartphone connected with Wi-Fi to the LAN and requesting a connection on internal port 52221... same issue:

The server log is exactly the same, apart those 2 lines:

... cut ...
Connection from 192.168.0.115 port 51022 on 192.168.0.20 port 52221
... cut ...
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Connection closed by 192.168.0.115 port 51022 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 32734

Attempt 3: internal IP on main server

Then the first of the three connections above: this one connects to the internal IP on port 22, i.e. the QNAP SSH server.
This works:

I cannot provide debug, because as I already said, this instance cannot be debugged.

Attempt 4: port forwarding local 22 to WAN 52201

Finally I've tried to forward the local 22 to WAN outside port 52201 and this is NOT working:

But again, Putty, JuiceSSH and Termux still work when ConnectBot and TermBot are failing.

Conclusions

I suspect that the problem is related with the port number, because when using port 22 ConnectBot is connecting while any other port number doesn't work. But probably, as TermBot is failing too, this may be something on the SSH connecting library?
I also tried with a friend's QNAP NAS with a different firmware version (older) as the destination server and again same errors with ConnectBot, so this behaviour is reproducible.

However, I must say, I'm connecting succesfully to another very old NAS with ConnectBot on a port different from 22, but it's using sshd version OpenSSH_5.3p1... so the SSH server version is important too!

[virtualdj]

any special changes to sshd_config that you might have made? I can add it to the regression tests

To add to my previous post, this is the sshd_config file content:

[~] # cat /etc/config/ssh/sshd_config
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
PermitRootLogin yes
UseDNS no
Subsystem sftp /usr/libexec/sftp-server
AllowTcpForwarding no
AllowUsers admin

EDIT: Also tried with ConnectBot-git-v1.9.7-7-g5a317a6e-google.apk and the result is the same, with the same log.

[virtualdj]

I tried to install Android Studio on a VM to debug and inspect why also the latest git version of ConnectBot it's failing.
The complete exception error is the following:

2020-08-20 17:06:51.450 1869-2122/org.connectbot.debug E/CB.SSH: Problem in SSH connection thread during authentication
    java.io.IOException: There was a problem while connecting to 192.168.0.20:22
        at com.trilead.ssh2.Connection.connect(Connection.java:808)
        at com.trilead.ssh2.Connection.connect(Connection.java:590)
        at org.connectbot.transport.SSH.connect(SSH.java:463)
        at org.connectbot.service.TerminalBridge$3.run(TerminalBridge.java:291)
        at java.lang.Thread.run(Thread.java:764)
     Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
        at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:154)
        at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:156)
        at com.trilead.ssh2.Connection.connect(Connection.java:760)
        at com.trilead.ssh2.Connection.connect(Connection.java:590) 
        at org.connectbot.transport.SSH.connect(SSH.java:463) 
        at org.connectbot.service.TerminalBridge$3.run(TerminalBridge.java:291) 
        at java.lang.Thread.run(Thread.java:764) 
     Caused by: java.io.IOException: The server hostkey was not accepted by the verifier callback.
        at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:735)
        at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:614)
        at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:310)
        at java.lang.Thread.run(Thread.java:764) 
     Caused by: java.lang.IllegalArgumentException: Unknown hostkey type rsa-sha2-512
        at com.trilead.ssh2.KnownHosts.verifyHostkey(KnownHosts.java:617)
        at org.connectbot.transport.SSH$HostKeyVerifier.verifyServerHostKey(SSH.java:173)
        at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:731)
        at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:614) 
        at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:310) 
        at java.lang.Thread.run(Thread.java:764) 

I'm attaching a screenshot of the failing line here:

I think that the issue is in the sshlib library because it doesn't list rsa-sha2-512 in the verifyHostkey function, even in the latest version that ConnectBot is not using.

This should be fixed by 90f7894 because the newer sshlib contains this commit: connectbot/sshlib@e6a49c5

Probably this is the wrong location because the rawFingerPrint function is not called and the exception raises.

Unfortunately I'm not skilled enough to patch the library (neither to use Android Studio correctly) so I hope @kruton can fix this ASAP.

[AlexanderS]

Probably this is the wrong location because the rawFingerPrint function is not called and the exception raises.

You are right. This should fix the issue:

diff --git a/src/main/java/com/trilead/ssh2/KnownHosts.java b/src/main/java/com/trilead/ssh2/KnownHosts.java
index aa56015..01876cf 100644
--- a/src/main/java/com/trilead/ssh2/KnownHosts.java
+++ b/src/main/java/com/trilead/ssh2/KnownHosts.java
@@ -101,7 +101,7 @@ public class KnownHosts
                if (hostnames == null)
                        throw new IllegalArgumentException("hostnames may not be null");
 
-               if ("ssh-rsa".equals(serverHostKeyAlgorithm))
+               if ("ssh-rsa".equals(serverHostKeyAlgorithm) || serverHostKeyAlgorithm.startsWith("rsa-sha2-"))
                {
                        RSAPublicKey rpk = RSASHA1Verify.decodeSSHRSAPublicKey(serverHostKey);
 
@@ -597,7 +597,7 @@ public class KnownHosts
        {
                PublicKey remoteKey = null;
 
-               if ("ssh-rsa".equals(serverHostKeyAlgorithm))
+               if ("ssh-rsa".equals(serverHostKeyAlgorithm) || serverHostKeyAlgorithm.startsWith("rsa-sha2-"))
                {
                        remoteKey = RSASHA1Verify.decodeSSHRSAPublicKey(serverHostKey);
                }

I will create a pull request for the sshlib.

[virtualdj]

I hope a new release will be published soon, to be able to connect to my problematic host again!

[sppmasterspp]

I have the same issue.
The strange thing for me is that my connection was working fine until today. I didn't change the keys nor the settings of the OpenWrt router nor the ConnectBot client.
I can still connect normally via the LAN but get the "Unknown hostkey type rsa-sha2-256" error message when trying to connect via remote network/location.

[virtualdj]

@sppmasterspp The library has been fixed. We just have to wait until they will integrate the new version into a ConnectBot commit and publish a new release...

[sppmasterspp]

@sppmasterspp The library has been fixed. We just have to wait until they will integrate the new version into a ConnectBot commit and publish a new release...

Thank you.
I can connect remotely to my other routers using the same private and public keys.
Connecting to just one of them gives that error.
I still don't understand why. The key that fails to connect was generated by ConnectBot.

[AlexanderS]

I can connect remotely to my other routers using the same private and public keys.
Connecting to just one of them gives that error.
I still don't understand why. The key that fails to connect was generated by ConnectBot.

The issue occurs when connectbot do not have an entry for the host in the KnownHosts "file". So you can login as long as the key is already cached for the hostname or ip address.

[sppmasterspp]

I can connect remotely to my other routers using the same private and public keys.
Connecting to just one of them gives that error.
I still don't understand why. The key that fails to connect was generated by ConnectBot.

The issue occurs when connectbot do not have an entry for the host in the KnownHosts "file". So you can login as long as the key is already cached for the hostname or ip address. Where is this KnownHosts file?

Is there a way to fix this or we should wait for the updated app. I cannot find the ConnectBot folder on my Android device.

[sppmasterspp]

@kruton Thanks for fixing this bug in the latest release. I can connect normally again.

[kruton]

Thanks for the update. This was fixed with #850

[tessus]

@kruton Sorry for bumping the thread again. Thanks for the fix, but the latest available version on F-droid is 1.2 years old (checked Google Store... same thing). Are there any daily builds available? I currently can't build it myself.

[virtualdj]

Are there any daily builds available? I currently can't build it myself.

You can download the APK from the Releases section here, on GitHub:
https://github.com/connectbot/connectbot/releases

But I agree with you, the version on the Play Store (and F-Droid) should be updated as well, because if someone doesn't know he can go here it simply uninstall the application thinking it doesn't work (and it doesn't, in fact, because it cannot connect to the server).

[virtualdj]

@kruton
Hi, today a friend of mine installed ConnectBot from the Play Store and still got the error:

I told him to install the APK from the Releases section of GitHub, and after updating the installed app of course it worked!

So I'm asking: why the Play Store version of ConnectBot is still not updated and has issues? On the web page I see the last update is 12th November 2019, so that's certainly the reason.

I don't have any problem installing an APK, but I know how to do it... other people simply think ConnectBot doesn't work (and actually it does not!) and switch to another app. Isn't that a bad advertisement for ConnectBot?

[bsmojver]

Yeah, still a problem with play store version.

[sosgasm]

Yes,Play Store version is not working in my case. I just installed TermBot from the F-Droid store.

[ap-wtioit]

Will there be a new release for Play Store ?

[kruton]

I'll release a new version today.

[karen-pal]

The problem still persists on the Play Store version.