Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect from windows due to algorithm mismatch #68

Open
D3SL opened this issue Dec 13, 2023 · 9 comments
Open

Unable to connect from windows due to algorithm mismatch #68

D3SL opened this issue Dec 13, 2023 · 9 comments

Comments

@D3SL
Copy link

D3SL commented Dec 13, 2023
edited
Loading

When trying to connect to a CentOS machine from Windows I receive the following error:

Error: libssh failure at 'connect': kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com]

However when I check in cmd, git bash, and powershell I see that I do have ssh-rsa in the lists and interestingly don't have some of the algorithms listed for by R's SSH package.

CMD:

ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com

Git Bash:

ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
@jeroen
Copy link
Member

jeroen commented Dec 13, 2023
edited
Loading

Which server are you connecting to? Is this a really old OS?

The ssh package uses libssh which is a different from what is used by your local git/ssh commands. I think it ssh-rsa is not the same as ssh-rsa, you specifically need the sha2 version.

@D3SL
Copy link
Author

D3SL commented Dec 13, 2023
edited
Loading

Hi Jeroen. As I said in the first line of my post:

When trying to connect to a CentOS machine from Windows I receive the following error...

CentOS7 is not the newest operating system but it hasn't reached end of life yet and is still supported. Additionally this is a new error, I've been using this package for some time without issue.

@D3SL
Copy link
Author

D3SL commented Dec 13, 2023

Centos7 is not end of life yet, it is still supported. And as I said I've been using this package for some time now without issue, I've just noticed it now after having recently updated R and all packages.

@jeroen
Copy link
Member

jeroen commented Dec 13, 2023

CentOS7 is not the newest operating system but it hasn't reached end of life yet and is still supported. Additionally this is a new error, I've been using this package for some time without issue.

Yes I suspect libssh has disabled the unsafe algorithms in a recent update. I'll try to find a workaround for you.

@D3SL
Copy link
Author

D3SL commented Dec 13, 2023
edited
Loading

I think the issue is something else. I just checked with ssh -vv on the destination machines and these servers should absolutely support newer safer algorithms., at least if I'm reading this correctly. For some reason libssh from windows 10 to Centos7 can't seem to see these supported algorithms though:

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,umac-128-etm@openssh.com
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,umac-128-etm@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com

and another machine:

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

@jeroen
Copy link
Member

jeroen commented Dec 13, 2023

So at what version of updating the R package did this problem start appearing?

@D3SL
Copy link
Author

D3SL commented Dec 13, 2023
edited
Loading

On windows I've got the R package v0.9.1 linking to libssh 0.10.5, and currently working in an ubuntu docker container I have R package version 0.8.2 linking to lissh 0.9.6.

For some reason R-ssh 0.9.1 and libssh 0.10.5 is seeing only ssh-rsa and ssh-dss on the target machine, even though it reports the following algorithms which overlap with the list given by R-ssh on my windows machine:

ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
rsa-sha2-256
rsa-sha2-512
ssh-ed25519
sk-ssh-ed25519@openssh.com

For thoroughness here is a verbose output from R on the working ubuntu docker container:

ssh_connect: libssh 0.9.6 (c) 2003-2021 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_pthread
ssh_socket_connect: Nonblocking connection socket: 3
ssh_connect: Socket connecting, now waiting for the callbacks to work
socket_callback_connected: Socket connection callback: 1 (0)
ssh_client_connection_callback: SSH server banner: SSH-2.0-OpenSSH_5.3
ssh_analyze_banner: Analyzing banner: SSH-2.0-OpenSSH_5.3
ssh_analyze_banner: We are talking to an OpenSSH client version: 5.3 (50300)
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_kex_select_methods: Negotiated diffie-hellman-group-exchange-sha256,ssh-rsa,aes256-ctr,aes256-ctr,hmac-sha2-256,hmac-sha2-256,none,none,,
ssh_packet_client_dhgex_group: SSH_MSG_KEX_DH_GEX_GROUP received
ssh_packet_client_dhgex_reply: SSH_MSG_KEX_DH_GEX_REPLY received
ssh_init_rekey_state: Set rekey after 4294967296 blocks
ssh_init_rekey_state: Set rekey after 4294967296 blocks
ssh_packet_client_dhgex_reply: SSH_MSG_NEWKEYS sent
ssh_packet_newkeys: Received SSH_MSG_NEWKEYS
ssh_packet_newkeys: Signature verified and valid
Found known server key: XXXXX
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
ssh_pki_import_pubkey_file: Error opening /root/.ssh/id_ed25519.pub: No such file or directory
ssh_pki_import_privkey_file: Error opening /root/.ssh/id_ed25519: No such file or directory
ssh_pki_import_pubkey_file: Error opening /root/.ssh/id_ecdsa.pub: No such file or directory
ssh_pki_import_privkey_file: Error opening /root/.ssh/id_ecdsa: No such file or directory
ssh_pki_import_pubkey_file: Error opening /root/.ssh/id_rsa.pub: No such file or directory
ssh_pki_import_privkey_file: Error opening /root/.ssh/id_rsa: No such file or directory
ssh_pki_import_pubkey_file: Error opening /root/.ssh/id_dsa.pub: No such file or directory
ssh_pki_import_privkey_file: Error opening /root/.ssh/id_dsa: No such file or directory
ssh_userauth_publickey_auto: Tried every public key, none matched

@jeroen
Copy link
Member

jeroen commented Dec 13, 2023

Does the verbose output on Windows show any hints why other methods are not considered?

@D3SL
Copy link
Author

D3SL commented Dec 14, 2023

Here's the verbose output of my win10 computer with the latest R package trying to connect to the same remote as the previous log.

ssh_pki_import_privkey_base64: Trying to decode privkey passphrase=false
ssh_pki_openssh_import: Opening OpenSSH private key: ciphername: none, kdf: none, nkeys: 1
ssh_config_parse_line: Unsupported option: AddKeysToAgent, line: 5
ssh_connect: libssh 0.10.5 (c) 2003-2023 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_pthread
ssh_socket_connect: Nonblocking connection socket: 32740
ssh_connect: Socket connecting, now waiting for the callbacks to work
socket_callback_connected: Socket connection callback: 1 (0)
ssh_client_connection_callback: SSH server banner: SSH-2.0-OpenSSH_5.3
ssh_analyze_banner: Analyzing banner: SSH-2.0-OpenSSH_5.3
ssh_analyze_banner: We are talking to an OpenSSH server version: 5.3 (50300)
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_kex_select_methods: kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com]
Error: libssh failure at 'connect': kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeroen @D3SL