Re: ssh_options_set not working?

Mon, 29 May 2023 03:22:20 -0700 

On 5/26/23 17:17, Kerrison, Adam wrote:

Hello
I am trying to enable all supported key exchange methods, ciphers and HMACs to handle connecting to some truly ancient servers. The setup code is: 

   ssh_session session = ssh_new();

   fprintf(stderr, "SETTING KEYEX %s\n", ALL_KEYEX_METHODS);
 if(ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, ALL_KEYEX_METHODS) < 0) { 

    fprintf(stderr, "FAILED TO SET KEYEX\n");

    }

    fprintf(stderr, "SETTING CIPHERS %s\n", ALL_CIPHERS);
    if(ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, ALL_CIPHERS) < 0) { 

       fprintf(stderr, "FAILED TO SET CIPHERS\n");

   }

   fprintf(stderr, "SETTING HMACS %s\n", ALL_HMACS);

   if(ssh_options_set(session, SSH_OPTIONS_HMAC_C_S, ALL_HMACS) < 0) {

     fprintf(stderr, "FAILED TO SET HMACS\n");

   }
Where the ALL_* values are constants defining all the supports things (see below) 

When I run the code my connection fails. The output is:
SETTING KEYEX curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
SETTING CIPHERS chacha20-poly1305,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
SETTING HMACS hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
ERROR: failed to connect: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1], client [curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] (code 2)
So the ssh_options_set() calls aren’t failing but the values don’t seem to have been applied as the client keyex list doesn’t include the diffie-helman SHA1 methods that I set?
This API ignores any unknown algorithms, for example to avoid failing hard when parsing openssh configuration files. I do not think there is an API to retrieve the enabled algorithms, but the ssh_options_get() could be very simply extended to return the list of enabled algorithms for double-checking this. Feel free to propose the merge request!
The two algorithms supported by the server [diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1] are supported by libssh master, but they are not enabled by default in current versions. But using the ssh_options_set() should enable them.
The list of the algorithms you list in the outputs also differ both in content and order which sounds like the setting of the algorithms was not effective for some reason. 


What am I doing wrong here?
What libssh version are you using? Can you bump the log verbosity and check the logs for some more information? 

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.

Reply via email to