Hello Jakub, thanks for your reply.
It is exactly the other way round. The client does seem to accept only the save algorithms while the server only allows ssh-rsa. To my knowledge, this is due to the server using an older version of libssh (0.7.x) and the client being the newest version. I am not sure if this impacts your previous suggestion. If not, could you tell me which command I do have to append to which file, please? Also, I have appended the complete configuration file oft he client (/etc/ssh/sshd_config), if this helps. Thanks again! Best regards, Sebastian -----Ursprüngliche Nachricht----- Von: Jakub Jelen <jje...@redhat.com> Gesendet: Montag, 25. Mai 2020 18:42 An: libssh@libssh.org Betreff: Re: [SUPPORT REQUEST] Configuration of libssh host key algos on client NOTICE: This message originated from outside of the company. Please exercise caution when replying or opening links and attachments. On Mon, 2020-05-25 at 15:52 +0000, Sebastian Kraust wrote: > Hello libssh-team, > > I am currently working on a project using libssh under the hood, but > have problems to get it to work. I hope you can provide some help. > > Task > Write a client for an existing server which cannot be > changed/configured by me. > > Approach > Connect to the server using the function `ssh_connect`. > > Error > kex error : no match for method server host key algo: server [ssh- > rsa], client [ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2- > nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256] > > Problem > Due to the restriction that I can only change the client side, I have > to change the client so that it accepts the ssh-rsa algo. > According to the docs, it should be capable of doing so. > > Troubleshooting so far > Added > PubkeyAcceptedKeyTypes ssh-ed25519*,ssh-rsa*,ssh-dss*,ecdsa-sha2 > to /etc/ssh/sshd_config to allow every algo on the client side. > > I still get the same error. I do believe that the config might not be > the correct file to configure libssh. > > Can you give me some direction where I have to configure libssh so > that the client also accepts the ssh-rsa algorithm? If you need more > information, please let me know. The server is configured to accept only secure algorithms (eddsa, ecdsa and rsa with sha2 -- rsa-sha2-512,rsa-sha2-256). You probably configured your client to use only the old (ssh-rsa), which is not compatible with the new ones (and not considered secure anymore). If you need some backward compatibility with old server, append the SHA2 (rsa-sha2-512,rsa-sha2-256) algorithms, otherwise use only them. Regards, Jakub > Thanks for your help in advance. > > > Mit freundlichen Grüßen / Best regards > > i.A. Sebastian Kraust > Forschungsingenieur / Research Engineer > > b-plus GmbH > Osterhofener Str. 13 | 93055 Regensburg Tel +49 941 46624 208 | Fax > +49 991 270302 99 sebastian.kra...@b-plus.com > > Besucheradresse / Visitor address: > b-plus automotive GmbH > Osterhofener Str. 13, 93055 Regensburg, Germany > > Website<http://www.b-plus.com/> | XING< > https://www.xing.com/companies/b-plusgmbh> | FACEBOOK< > https://www.facebook.com/bplusGmbH/> | LinkedIn< > https://www.linkedin.com/company/b-plus-gmbh/> > [cid:image003.jpg@01D632BD.3948FA20]< > https://www.b-plus.com/de/news-events/newsansicht/article/b-plus-gehoe > rt-zu-bayerns-best-50.html > > > > b-plus GmbH > Geschäftsführer / Managing Director: Dipl.-Ing.(FH) Michael Sieg > Gerichtsstand /Handelsregister / Place of jurisdiction / Commercial > register: HRB 1753 Deggendorf / Germany Diese E-Mail enthält > vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie > nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten > haben, informieren Sie bitte sofort den Absender und löschen Sie diese > Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser > Mail ist nicht gestattet. > This e-mail may contain confidential and/or privileged information. > If you are not the intended recipient (or have received this e-mail in > error) please notify the sender immediately and delete this e- mail. > Any unauthorized copying, disclosure or distribution of the contents > in this e-mail is strictly forbidden. > -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server PubkeyAcceptedKeyTypes ssh-ed25519*,ssh-rsa*,ssh-dss*,ecdsa-sha2*
