I am using libssh 0.10.5 on Windows. I've confirmed it was built with
WITH_GEX=1 (that’s the default and we've turned it off). I've added verbose
logging at the function level (see below) and tried also setting
SSH_OPTIONS_HOSTKEYS too.
I also tried implementing support for these options in ssh_options_get() which
works but the values are initialized to NULL and the existing code treats that
as an error ☹ My code works to retrieve the value after it has been set with
ssh_options_set() (you can see that in the log as NEW KEYEX). I don't know
where the values in the session struct would actually get set to handle the
initial NULL value.
Here is the log:
SETTING KEYEX
curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
NEW KEYEX =
curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
SETTING CIPHERS
chacha20-poly1305,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
SETTING HMACS
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
SETTING HOST_KEYS
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
[2023/05/30 12:06:28.416222, 2] ssh_connect: libssh 0.10.5 (c) 2003-2023 Aris
Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the
LGPL, please refer to COPYING file for information about your rights, using
threading threads_winlock
[2023/05/30 12:06:28.416222, 3] getai: host 10.49.32.30 matches an IP address
[2023/05/30 12:06:28.417199, 2] ssh_socket_connect: Nonblocking connection
socket: 296
[2023/05/30 12:06:28.423080, 2] ssh_connect: Socket connecting, now waiting
for the callbacks to work
[2023/05/30 12:06:28.423080, 3] ssh_connect: current state : 1
[2023/05/30 12:06:28.447504, 4] ssh_socket_pollcallback: Poll callback on
socket 296 (POLLOUT ), out buffer 0
[2023/05/30 12:06:28.447504, 3] ssh_socket_pollcallback: Received POLLOUT in
connecting state
[2023/05/30 12:06:28.448483, 1] socket_callback_connected: Socket connection
callback: 1 (0)
[2023/05/30 12:06:28.455678, 3] ssh_client_connection_callback: session_state=2
[2023/05/30 12:06:28.456656, 3] ssh_socket_unbuffered_write: Enabling POLLOUT
for socket
[2023/05/30 12:06:28.458607, 4] ssh_socket_unbuffered_write: wrote 23
[2023/05/30 12:06:28.458607, 3] ssh_connect: current state : 2
[2023/05/30 12:06:28.463486, 4] ssh_socket_pollcallback: Poll callback on
socket 296 (POLLOUT ), out buffer 0
[2023/05/30 12:06:28.463486, 3] ssh_connect: current state : 2
[2023/05/30 12:06:28.479142, 4] ssh_socket_pollcallback: Poll callback on
socket 296 (POLLIN ), out buffer 0
[2023/05/30 12:06:28.480078, 4] ssh_socket_unbuffered_read: read 25
[2023/05/30 12:06:28.480078, 3] callback_receive_banner: Received banner:
SSH-1.99-OpenSSH_3.6.1p2
[2023/05/30 12:06:28.486309, 3] ssh_client_connection_callback: session_state=3
[2023/05/30 12:06:28.486910, 2] ssh_client_connection_callback: SSH server
banner: SSH-1.99-OpenSSH_3.6.1p2
[2023/05/30 12:06:28.486910, 2] ssh_analyze_banner: Analyzing banner:
SSH-1.99-OpenSSH_3.6.1p2
[2023/05/30 12:06:28.487886, 2] ssh_analyze_banner: We are talking to an
OpenSSH server version: 3.6 (30600)
[2023/05/30 12:06:28.488862, 3] ssh_client_select_hostkeys: Order of wanted
host keys:
"ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
[2023/05/30 12:06:28.490854, 1] ssh_known_hosts_read_entries: Failed to open
the known_hosts file 'C:\Users\adam/.ssh/known_hosts': No such file or directory
[2023/05/30 12:06:28.490854, 1] ssh_known_hosts_read_entries: Failed to open
the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
[2023/05/30 12:06:28.495720, 3] ssh_client_select_hostkeys: No key found in
known_hosts; changing host key method to
"ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
[2023/05/30 12:06:28.495720, 4] ssh_send_kex: Sending KEXINIT packet,
first_kex_packet_follows = 0
[2023/05/30 12:06:28.496670, 4] ssh_list_kex: kex algos:
curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,ext-info-c
[2023/05/30 12:06:28.496670, 4] ssh_list_kex: server host key algo:
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
[2023/05/30 12:06:28.497646, 4] ssh_list_kex: encryption client->server:
aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
[2023/05/30 12:06:28.497646, 4] ssh_list_kex: encryption server->client:
chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,
[2023/05/30 12:06:28.498621, 4] ssh_list_kex: mac algo client->server:
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
[2023/05/30 12:06:28.498621, 4] ssh_list_kex: mac algo server->client:
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha2-256,hmac-sha2-512
[2023/05/30 12:06:28.503515, 4] ssh_list_kex: compression algo client->server:
none,z...@openssh.com
[2023/05/30 12:06:28.503515, 4] ssh_list_kex: compression algo server->client:
none,z...@openssh.com
[2023/05/30 12:06:28.504482, 4] ssh_list_kex: languages client->server:
[2023/05/30 12:06:28.504482, 4] ssh_list_kex: languages server->client:
[2023/05/30 12:06:28.505454, 3] ssh_socket_unbuffered_write: Enabling POLLOUT
for socket
[2023/05/30 12:06:28.505454, 4] ssh_socket_unbuffered_write: wrote 936
[2023/05/30 12:06:28.506430, 3] packet_send2: packet: wrote [type=20, len=932,
padding_size=11, comp=920, payload=920]
[2023/05/30 12:06:28.506430, 3] ssh_send_kex: SSH_MSG_KEXINIT sent
[2023/05/30 12:06:28.507406, 3] ssh_connect: current state : 4
[2023/05/30 12:06:28.507406, 4] ssh_socket_pollcallback: Poll callback on
socket 296 (POLLOUT ), out buffer 0
[2023/05/30 12:06:28.507406, 4] ssh_socket_pollcallback: sending control flow
event
[2023/05/30 12:06:28.508382, 4] ssh_packet_socket_controlflow_callback:
sending channel_write_wontblock callback
[2023/05/30 12:06:28.508382, 3] ssh_connect: current state : 4
[2023/05/30 12:06:28.535711, 4] ssh_socket_pollcallback: Poll callback on
socket 296 (POLLIN ), out buffer 0
[2023/05/30 12:06:28.536686, 4] ssh_socket_unbuffered_read: read 544
[2023/05/30 12:06:28.537664, 3] ssh_packet_socket_callback: packet: read type
20 [len=540,padding=9,comp=530,payload=530]
[2023/05/30 12:06:28.537664, 3] ssh_packet_process: Dispatching handler for
packet type 20
[2023/05/30 12:06:28.539616, 4] ssh_packet_kexinit: KEXINIT received
[2023/05/30 12:06:28.539616, 3] ssh_client_connection_callback: session_state=5
[2023/05/30 12:06:28.540589, 4] ssh_list_kex: kex algos:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
[2023/05/30 12:06:28.540589, 4] ssh_list_kex: server host key algo:
ssh-rsa,ssh-dss
[2023/05/30 12:06:28.541568, 4] ssh_list_kex: encryption client->server:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se
[2023/05/30 12:06:28.541568, 4] ssh_list_kex: encryption server->client:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se
[2023/05/30 12:06:28.541568, 4] ssh_list_kex: mac algo client->server:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
[2023/05/30 12:06:28.542542, 4] ssh_list_kex: mac algo server->client:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
[2023/05/30 12:06:28.542542, 4] ssh_list_kex: compression algo client->server:
none,zlib
[2023/05/30 12:06:28.542542, 4] ssh_list_kex: compression algo server->client:
none,zlib
[2023/05/30 12:06:28.543518, 4] ssh_list_kex: languages client->server:
[2023/05/30 12:06:28.543518, 4] ssh_list_kex: languages server->client:
[2023/05/30 12:06:28.544493, 1] ssh_kex_select_methods: kex error : no match
for method encryption server->client: server
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se],
client
[chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,]
[2023/05/30 12:06:28.544493, 3] ssh_connect: current state : 9
-----Original Message-----
From: Jakub Jelen <jje...@redhat.com>
Sent: 29 May 2023 11:22
To: libssh@libssh.org
Subject: [EXTERNAL] Re: ssh_options_set not working?
On 5/26/23 17:17, Kerrison, Adam wrote:
> Hello
>
> I am trying to enable all supported key exchange methods, ciphers and
> HMACs to handle connecting to some truly ancient servers. The setup code is:
>
> ssh_session session = ssh_new();
>
> fprintf(stderr, "SETTING KEYEX %s\n", ALL_KEYEX_METHODS);
>
> if(ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE,
> ALL_KEYEX_METHODS) < 0) {
>
> fprintf(stderr, "FAILED TO SET KEYEX\n");
>
> }
>
> fprintf(stderr, "SETTING CIPHERS %s\n", ALL_CIPHERS);
>
> if(ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, ALL_CIPHERS)
> <
> 0) {
>
> fprintf(stderr, "FAILED TO SET CIPHERS\n");
>
> }
>
> fprintf(stderr, "SETTING HMACS %s\n", ALL_HMACS);
>
> if(ssh_options_set(session, SSH_OPTIONS_HMAC_C_S, ALL_HMACS) < 0) {
>
> fprintf(stderr, "FAILED TO SET HMACS\n");
>
> }
>
> Where the ALL_* values are constants defining all the supports things
> (see below)
>
> When I run the code my connection fails. The output is:
>
> SETTING KEYEX
> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nist
> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffi
> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hel
> lman-group1-sha1,diffie-hellman-group-exchange-sha1
>
> SETTING CIPHERS
> chacha20-poly1305,aes256-...@openssh.com,aes128-...@openssh.com,aes256
> -ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
>
> SETTING HMACS
> hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-
> e...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
>
> ERROR: failed to connect: kex error : no match for method kex algos:
> server
> [diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1],
> client
> [curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecd
> h-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha25
> 6,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-h
> ellman-group18-sha512] (code 2)
>
> So the ssh_options_set() calls aren’t failing but the values don’t
> seem to have been applied as the client keyex list doesn’t include the
> diffie-helman SHA1 methods that I set?
This API ignores any unknown algorithms, for example to avoid failing hard when
parsing openssh configuration files. I do not think there is an API to retrieve
the enabled algorithms, but the ssh_options_get() could be very simply extended
to return the list of enabled algorithms for double-checking this. Feel free to
propose the merge request!
The two algorithms supported by the server
[diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1] are supported
by libssh master, but they are not enabled by default in current versions. But
using the ssh_options_set() should enable them.
The list of the algorithms you list in the outputs also differ both in content
and order which sounds like the setting of the algorithms was not effective for
some reason.
> What am I doing wrong here?
What libssh version are you using? Can you bump the log verbosity and check the
logs for some more information?
Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.
