SSH Key Algorithm Compatibility Issue

[FLX-0x00]

Issue Summary

When testing older systems with Legba, the SSH authentication fails due to unsupported key algorithms. Older systems often only support legacy SSH key algorithms (e.g., ssh-rsa), but since Legba relies on the system SSH client, it inherits modern restrictions and fails to authenticate.

Expected Behavior

Legba should respect user-defined SSH configurations or allow users to specify custom SSH options to work with older systems. Currently the older systems will be "ignored" and maybe missed in an engangement.

Observed Behavior

When attempting to authenticate to an older SSH target, Legba fails with the error:

Ssh error occurred: No common key algorithm

Even though the system’s native SSH client can connect when using custom options like:

ssh -o HostKeyAlgorithms=+ssh-rsa user@target

or configuring .ssh/config with:

Host *
  HostKeyAlgorithms +ssh-rsa

Legba does not seem to respect these settings, leading to failed connections.

Steps to Reproduce

1. Set up an older SSH server that only supports legacy key algorithms (e.g., ssh-rsa).
2. Ensure the system’s SSH client can connect using either:
   • ssh -o HostKeyAlgorithms=+ssh-rsa user@target
   • Modifying .ssh/config as shown above.
3. Run Legba against the same target. legba ssh --target @./ssh.txt --combinations pass.txt --ssh-auth-mode password
4. Authentication fails with No common key algorithm.

Possible Solutions

• Allow custom SSH options: Add a CLI flag to pass SSH options, e.g., --ssh-options "-o HostKeyAlgorithms=+ssh-rsa".
• Respect user SSH configuration: Ensure Legba reads .ssh/config settings.
• Automatically allow older protocols: If possible, detect unsupported algorithms and adjust accordingly.
• Provide a fallback mechanism: If authentication fails due to key algorithms, attempt a retry with broader compatibility.

Environment

• Legba version: Latest
• OS: Arch Linux
• SSH client version: OpenSSH_9.9p2
• Target system: Linux ubuntu 3.13.0-29-generic | OpenSSH_6.6

Would love to hear your thoughts on possible fixes! Thanks for the great tool. Hopefully I am not missing something obvious and getting the disappointed cat.

[meichengg]

Same issue!!!!!!

[evilsocket]

Legba does not use the system client, but this crate https://github.com/Miyoshi-Ryota/async-ssh2-tokio ... i'm on it, investigating if i can support ssh-rsa with it

[evilsocket]

@FLX-0x00 would it be possible for you to provide the /etc/ssh/sshd_config file of the target system so I can replicate the exact configuration?

[FLX-0x00]

ム cat /etc/ssh/sshd_config | ag -v "#" | sort -u

AuthorizedKeysFile      .ssh/authorized_keys
Include /etc/ssh/sshd_config.d/*.conf
Subsystem       sftp    /usr/lib/ssh/sftp-server

ム cat /etc/ssh/sshd_config.d/99-archlinux.conf | ag -v "#" | sort -u
KbdInteractiveAuthentication no
PrintMotd no
UsePAM yes

ム cat /etc/ssh/sshd_config.d/20-systemd-userdb.conf | ag -v "#" | sort -u
AuthorizedKeysCommandUser root
AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u

[meichengg]

In my case, i have to run this long command instead of just ssh root@...

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa,ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss -oCiphers=+aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc -oMACs=+hmac-md5,hmac-sha1 root@...

[evilsocket]

thanks guys! will try to replicate and hopefully fix

[meichengg]

Oh, just to update more information for you. I ssh to routers using busybox (ssh server/cli using dropbear). My busybox kernel is Linux 701-XD3200 3.3.8 #16 Fri Jun 24 17:36:46 CST 2016 mips GNU/Linux.

root@nan484625:~# proxychains -q ssh root@192.168...
select2: Bad file descriptor
Unable to negotiate with 127.0.0.1 port 1080: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

This command helps me to ssh into my box.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa,ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss -oCiphers=+aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc -oMACs=+hmac-md5,hmac-sha1 root@...

[evilsocket]

@meichengg you wouldn't happen to know if there's a docker image with this setup already? :P

[meichengg]

@meichengg you wouldn't happen to know if there's a docker image with this setup already? :P

Hmm no i dont, can you show me?

[evilsocket]

@meichengg show you what? i need to replicate this exact setup with an apparently legacy dropbear ssh server and having a dockerfile for whatever iot this is would be helpful .. nevermind, i'll try to replicate somehow 👍🏻

[meichengg]

Oh sorry i misunderstood, i don't have docker images for this, its hard to find such old environment like that but i can help if you need to troubleshoot.

[evilsocket]

@meichengg no worries, thanks for your help! Two things would help a lot at this point:

1. The entire log of an ssh session to this device, with -vvv for increased verbosity, so I can see exactly what algorithms are used by both the client and the server. Needless to say, if there's anything sensitive (there shouldn't be anything really), please REDACT.
2. A run of legba, failing, with the RUST_LOG environment variable set to debug.

Thanks a lot again!

[meichengg]

This is when i SSH to the router with correct flags.

root@nan484625:~/vcb/fscan# proxychains -q ssh -oKexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa,ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss -oCiphers=+aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc -oMACs=+hmac-md5,hmac-sha1 root@192.168.1.141 -vvv
OpenSSH_8.9p1 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022
select2: Bad file descriptor
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.141 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.1.141 [192.168.1.141] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
debug1: Remote protocol version 2.0, remote software version dropbear_2011.54
debug1: compat_banner: no match: dropbear_2011.54
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.141:22 as 'root'
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:10
debug3: load_hostkeys_file: loaded 1 keys from 192.168.1.141
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug2: bits set: 504/1024
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa [REDACTED_HOST_KEY]
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:10
debug3: load_hostkeys_file: loaded 1 keys from 192.168.1.141
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.1.141' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:10
debug2: bits set: 527/1024
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /root/.ssh/id_rsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: Will attempt key: /root/.ssh/id_dsa
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug3: no such identity: /root/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug3: no such identity: /root/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /root/.ssh/id_xmss
debug3: no such identity: /root/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@192.168.1.141's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 52
Authenticated to 192.168.1.141 ([127.0.0.1]:1080) using "password".
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: filesystem
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env SHELL
debug3: Ignored env HISTCONTROL
debug1: channel 0: setting env LC_MONETARY = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env GOBIN
debug3: Ignored env PWD
debug3: Ignored env LOGNAME
debug3: Ignored env XDG_SESSION_TYPE
debug3: Ignored env MOTD_SHOWN
debug3: Ignored env HOME
debug1: channel 0: setting env LANG = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env LS_COLORS
debug3: Ignored env CARGO_HOME
debug3: Ignored env RUSTUP_TOOLCHAIN
debug3: Ignored env __MISE_DIFF
debug3: Ignored env SSH_CONNECTION
debug3: Ignored env GOROOT
debug3: Ignored env __MISE_ORIG_PATH
debug3: Ignored env LESSCLOSE
debug3: Ignored env XDG_SESSION_CLASS
debug3: Ignored env TERM
debug3: Ignored env RUSTUP_HOME
debug3: Ignored env LESSOPEN
debug3: Ignored env USER
debug3: Ignored env __MISE_SESSION
debug3: Ignored env SHLVL
debug1: channel 0: setting env LC_MESSAGES = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env ATUIN_SESSION
debug3: Ignored env ATUIN_HISTORY_ID
debug1: channel 0: setting env LC_CTYPE = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env SSH_CLIENT
debug1: channel 0: setting env LC_TIME = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug1: channel 0: setting env LC_ALL = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug1: channel 0: setting env LC_COLLATE = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env MISE_SHELL
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env PATH
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env SSH_TTY
debug3: Ignored env ATUIN_PREEXEC_BACKEND
debug1: channel 0: setting env LC_NUMERIC = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env OLDPWD
debug3: Ignored env _
debug3: Ignored env PROXYCHAINS_CONF_FILE
debug3: Ignored env PROXYCHAINS_QUIET_MODE
debug3: Ignored env LD_PRELOAD
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 24576 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0


BusyBox v1.19.4 (2016-03-14 15:08:48 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

     MM           NM                    MMMMMMM          M       M
   $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
  MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
  MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
    MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
     MMMM          M                    MMMMMMM        M       M
       M
 ---------------------------------------------------------------
   For those about to rock... ([REDACTED], unknown)
 ---------------------------------------------------------------
root@[REDACTED_HOSTNAME]:~# debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: chan_shutdown_write: channel 0: (i0 o1 sock -1 wfd 8 efd 9 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug2: chan_shutdown_read: channel 0: (i0 o3 sock -1 wfd 7 efd 9 [write])
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/9 sock -1 cc -1 io 0x00/0x00)

debug3: send packet: type 1
Connection to 192.168.1.141 closed.
Transferred: sent 2976, received 2392 bytes, in 2.5 seconds
Bytes per second: sent 1196.4, received 961.6
debug1: Exit status 0

This is when i SSH to the router with default flags.

root@nan484625:~/vcb/fscan# proxychains -q ssh root@192.168.1.141 -vvv
select2: Bad file descriptor
OpenSSH_8.9p1 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.141 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.1.141 [192.168.1.141] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
debug1: Remote protocol version 2.0, remote software version dropbear_2011.54
debug1: compat_banner: no match: dropbear_2011.54
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.141:22 as 'root'
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:10
debug3: load_hostkeys_file: loaded 1 keys from 192.168.1.141
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: (no match)
Unable to negotiate with 127.0.0.1 port 1080: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

And this is debug log.

RUST_LOG=debug proxychains -q ./legba ssh -T 192.168.1.141 -U user.txt -P pass.txt
legba v0.10.0

[DEBUG] {
      "list_plugins": false,
      "plugin": "ssh",
      "recipe": null,
      "target": "192.168.1.141",
      "api": null,
      "api_allowed_origin": "127.0.0.1",
      "mcp": null,
      "username": "user.txt",
      "password": "pass.txt",
      "combinations": null,
      "separator": ":",
      "iterate_by": "User",
      "session": null,
      "output": null,
      "output_format": "Text",
      "timeout": 10000,
      "retries": 5,
      "retry_time": 1000,
      "single_match": false,
      "ulimit": 10000,
      "concurrency": 20,
      "rate_limit": 0,
      "wait": 0,
      "jitter_min": 0,
      "jitter_max": 0,
      "quiet": false,
      "cmd": {
        "cmd_binary": "",
        "cmd_args": "",
        "cmd_success_exit_code": 0,
        "cmd_success_match": null
      },
      "amqp": {
        "amqp_ssl": false
      },
      "http": {
        "http_success_codes": "200",
        "http_ua": null,
        "http_success_string": null,
        "http_failure_string": null,
        "http_follow_redirects": false,
        "http_method": "GET",
        "http_headers": [],
        "http_csrf_page": null,
        "http_csrf_regexp": "<input type=\"hidden\" name=\"(token)\" value=\"([^\"]+)\"",
        "http_payload": null,
        "http_enum_ext": "php",
        "http_enum_ext_placeholder": "%EXT%",
        "http_ntlm_domain": null,
        "http_ntlm_workstation": "CLIENT",
        "proxy": null,
        "proxy_auth": null
      },
      "dns": {
        "dns_resolvers": null,
        "dns_port": 53,
        "dns_attempts": 1,
        "dns_ip_lookup": false,
        "dns_max_positives": 10,
        "dns_no_https": false
      },
      "telnet": {
        "telnet_user_prompt": "login: ",
        "telnet_pass_prompt": "Password: ",
        "telnet_prompt": ":~$ "
      },
      "smb": {
        "smb_workgroup": "WORKGROUP",
        "smb_share": "IPC$"
      },
      "ssh": {
        "ssh_auth_mode": "Password",
        "ssh_key_passphrase": null
      },
      "smtp": {
        "smtp_mechanism": "PLAIN"
      },
      "socks5": {
        "socks5_address": "ifcfg.co",
        "socks5_port": 80
      },
      "pop3": {
        "pop3_ssl": false
      },
      "ldap": {
        "ldap_domain": null
      },
      "kerberos": {
        "kerberos_realm": null,
        "kerberos_protocol": "TCP",
        "kerberos_linux": false
      },
      "rdp": {
        "rdp_domain": "",
        "rdp_ntlm": false,
        "rdp_admin_mode": false,
        "rdp_auto_logon": false
      },
      "mqtt": {
        "mqtt_client_id": "legba",
        "mqtt_v5": false
      },
      "redis": {
        "redis_ssl": false
      },
      "port_scanner": {
        "port_scanner_ports": "[1-65535]",
        "port_scanner_no_banners": false,
        "port_scanner_no_udp": false,
        "port_scanner_no_tcp": false,
        "port_scanner_banner_timeout": 1500,
        "port_scanner_http": "80, 8080, 8081, 8888",
        "port_scanner_https": "443, 8443",
        "port_scanner_http_headers": "server, x-powered-by, location, content-type"
      },
      "irc": {
        "irc_tls": false
      }
    }
[INFO ] target: 192.168.1.141
[DEBUG] loading wordlist from user.txt ...
[DEBUG] loading wordlist from pass.txt ...
[DEBUG] loading wordlist from user.txt ...
[DEBUG] loading wordlist from pass.txt ...
[INFO ] username -> wordlist user.txt
[INFO ] password -> wordlist pass.txt

[DEBUG] worker started
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] ssh key file: Vcb~1980
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] ssh key file: Vcb1980!
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] ssh key file: Vcb1980~
[DEBUG] worker started
[DEBUG] ssh key file: Vcb1980#
[DEBUG] ssh key file: Vcb!1980
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] ssh key file: Vcb1980$
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] ssh key file: Vcb1980@
[DEBUG] ssh key file: Vcb1980%
[DEBUG] ssh key file: Vcb#1980
[DEBUG] worker started
[DEBUG] ssh key file: Vcb@1980
[DEBUG] ssh key file: Vcb$1980
[DEBUG] worker started
[DEBUG] ssh key file: Vcb%1980
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] ssh key file: Vcb&1980
[DEBUG] ssh key file: Vcb1980&
[DEBUG] worker started
[DEBUG] ssh key file: Vcb1980
[DEBUG] ssh key file: Vcb1980
[DEBUG] ssh key file: Vcb^1980
[DEBUG] ssh key file: Vcb1980^
[DEBUG] worker started
[DEBUG] worker started
[DEBUG] ssh key file: Vcb~1981
[DEBUG] ssh key file: Vcb1981~
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[DEBUG] beginning re-key
[DEBUG] beginning re-key
[DEBUG] beginning re-key
[DEBUG] beginning re-key
[DEBUG] beginning re-key
[DEBUG] > msg type 20, len 908
[DEBUG] > msg type 20, len 908
[DEBUG] > msg type 20, len 908
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[DEBUG] > msg type 20, len 908
[DEBUG] > msg type 20, len 908
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[INFO ] error: Err(SshError(Disconnect))
[INFO ] error: Err(SshError(Disconnect))
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[INFO ] error: Err(SshError(Disconnect))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: Disconnected
[DEBUG] < msg type 20, seqn 1, len 297
[DEBUG] drop session
[DEBUG] kex_done_signal sender was dropped RecvError(())
[INFO ] error: Err(SshError(NoCommonAlgo { kind: Kex, ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"] }))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: No common Kex algorithm - ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"]
[DEBUG] < msg type 20, seqn 1, len 297
[DEBUG] < msg type 20, seqn 1, len 297
[DEBUG] < msg type 20, seqn 1, len 297
[DEBUG] drop session
[DEBUG] kex_done_signal sender was dropped RecvError(())
[INFO ] error: Err(SshError(NoCommonAlgo { kind: Kex, ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"] }))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: No common Kex algorithm - ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"]
[DEBUG] drop session
[DEBUG] < msg type 20, seqn 1, len 297
[DEBUG] kex_done_signal sender was dropped RecvError(())
[DEBUG] drop session
[INFO ] error: Err(SshError(NoCommonAlgo { kind: Kex, ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"] }))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: No common Kex algorithm - ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"]
[DEBUG] kex_done_signal sender was dropped RecvError(())
[INFO ] error: Err(SshError(NoCommonAlgo { kind: Kex, ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"] }))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: No common Kex algorithm - ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"]
[DEBUG] drop session
[DEBUG] kex_done_signal sender was dropped RecvError(())
[INFO ] error: Err(SshError(NoCommonAlgo { kind: Kex, ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"] }))
[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: No common Kex algorithm - ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"]
[INFO ] tasks=20 mem=39.1 MiB targets=1 attempts=41616 done=0 (0.00%) speed=0 reqs/s
^C[INFO ] stopping ...
[DEBUG] exiting worker
[DEBUG] worker exit
[DEBUG] exiting loop
[INFO ] runtime 1.242228681s

[evilsocket]

This is golden, especially:

[DEBUG] [192.168.1.141] attempt 1/5: Ssh error occured: No common Kex algorithm - ours: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "ext-info-c", "ext-info-s", "kex-strict-c-v00@openssh.com", "kex-strict-s-v00@openssh.com"], theirs: ["diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1"]

Thank you so much!