Re: [EXTERNAL] Re: ssh_options_set not working?

Wed, 31 May 2023 03:59:50 -0700 

On 5/30/23 17:25, Kerrison, Adam wrote:

I've made it work 😊  I need to set the server to client options, not the client 
to server ones (obviously). It’s a bit fiddly as there is no way for code to 
get the list of support and default methods. I found functions to do this in 
kex.c but these symbols aren't exposed in the .so/DLL, not sure how to do that.



Good to hear that! Yeah, there can be different lists for different 
directions for ciphers and hmacs, but in most of the cases it really 
makes sense to set both of the directions to the same algorithms 
(wondering if we should not have an API (without the _C_S/_S_C suffixes) 
to set both of them to avoid such confusion).



I've created a git clone and added my ssh_options_get() changes to branch - how 
do I create a PR? When I try to push I get a 403. I might have some other 
little changes too so being able to push would be handy



You will need to fork the repository on gitlab and push to your fork and 
then open a merge request (the same as pull request on github) against 
the main repository:


https://gitlab.com/libssh/libssh-mirror

Regards,
Jakub


Thanks

Adam

-----Original Message-----
From: Kerrison, Adam
Sent: 30 May 2023 12:11
To: libssh@libssh.org
Subject: RE: [EXTERNAL] Re: ssh_options_set not working?

I am using libssh 0.10.5 on Windows. I've confirmed it was built with 
WITH_GEX=1 (that’s the default and we've turned it off). I've added verbose 
logging at the function level (see below) and tried also setting 
SSH_OPTIONS_HOSTKEYS too.

I also tried implementing support for these options in ssh_options_get() which 
works but the values are initialized to NULL and the existing code treats that 
as an error ☹ My code works to retrieve the value after it has been set with 
ssh_options_set() (you can see that in the log as NEW KEYEX). I don't know 
where the values in the session struct would actually get set to handle the 
initial NULL value.

Here is the log:

SETTING KEYEX 
curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
NEW KEYEX = 
curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
SETTING CIPHERS 
chacha20-poly1305,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
SETTING HMACS 
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
SETTING HOST_KEYS 
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
[2023/05/30 12:06:28.416222, 2] ssh_connect:  libssh 0.10.5 (c) 2003-2023 Aris 
Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the 
LGPL, please refer to COPYING file for information about your rights, using 
threading threads_winlock
[2023/05/30 12:06:28.416222, 3] getai:  host 10.49.32.30 matches an IP address
[2023/05/30 12:06:28.417199, 2] ssh_socket_connect:  Nonblocking connection 
socket: 296
[2023/05/30 12:06:28.423080, 2] ssh_connect:  Socket connecting, now waiting 
for the callbacks to work
[2023/05/30 12:06:28.423080, 3] ssh_connect:  current state : 1
[2023/05/30 12:06:28.447504, 4] ssh_socket_pollcallback:  Poll callback on 
socket 296 (POLLOUT ), out buffer 0
[2023/05/30 12:06:28.447504, 3] ssh_socket_pollcallback:  Received POLLOUT in 
connecting state
[2023/05/30 12:06:28.448483, 1] socket_callback_connected:  Socket connection 
callback: 1 (0)
[2023/05/30 12:06:28.455678, 3] ssh_client_connection_callback:  session_state=2
[2023/05/30 12:06:28.456656, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT 
for socket
[2023/05/30 12:06:28.458607, 4] ssh_socket_unbuffered_write:  wrote 23
[2023/05/30 12:06:28.458607, 3] ssh_connect:  current state : 2
[2023/05/30 12:06:28.463486, 4] ssh_socket_pollcallback:  Poll callback on 
socket 296 (POLLOUT ), out buffer 0
[2023/05/30 12:06:28.463486, 3] ssh_connect:  current state : 2
[2023/05/30 12:06:28.479142, 4] ssh_socket_pollcallback:  Poll callback on 
socket 296 (POLLIN ), out buffer 0
[2023/05/30 12:06:28.480078, 4] ssh_socket_unbuffered_read:  read 25
[2023/05/30 12:06:28.480078, 3] callback_receive_banner:  Received banner: 
SSH-1.99-OpenSSH_3.6.1p2
[2023/05/30 12:06:28.486309, 3] ssh_client_connection_callback:  session_state=3
[2023/05/30 12:06:28.486910, 2] ssh_client_connection_callback:  SSH server 
banner: SSH-1.99-OpenSSH_3.6.1p2
[2023/05/30 12:06:28.486910, 2] ssh_analyze_banner:  Analyzing banner: 
SSH-1.99-OpenSSH_3.6.1p2
[2023/05/30 12:06:28.487886, 2] ssh_analyze_banner:  We are talking to an 
OpenSSH server version: 3.6 (30600)
[2023/05/30 12:06:28.488862, 3] ssh_client_select_hostkeys:  Order of wanted host keys: 
"ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
[2023/05/30 12:06:28.490854, 1] ssh_known_hosts_read_entries:  Failed to open 
the known_hosts file 'C:\Users\adam/.ssh/known_hosts': No such file or directory
[2023/05/30 12:06:28.490854, 1] ssh_known_hosts_read_entries:  Failed to open 
the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
[2023/05/30 12:06:28.495720, 3] ssh_client_select_hostkeys:  No key found in known_hosts; 
changing host key method to 
"ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
[2023/05/30 12:06:28.495720, 4] ssh_send_kex:  Sending KEXINIT packet, 
first_kex_packet_follows = 0
[2023/05/30 12:06:28.496670, 4] ssh_list_kex:  kex algos: 
curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,ext-info-c
[2023/05/30 12:06:28.496670, 4] ssh_list_kex:  server host key algo: 
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
[2023/05/30 12:06:28.497646, 4] ssh_list_kex:  encryption client->server: 
aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
[2023/05/30 12:06:28.497646, 4] ssh_list_kex:  encryption server->client: 
chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,
[2023/05/30 12:06:28.498621, 4] ssh_list_kex:  mac algo client->server: 
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
[2023/05/30 12:06:28.498621, 4] ssh_list_kex:  mac algo server->client: 
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha2-256,hmac-sha2-512
[2023/05/30 12:06:28.503515, 4] ssh_list_kex:  compression algo client->server: 
none,z...@openssh.com
[2023/05/30 12:06:28.503515, 4] ssh_list_kex:  compression algo server->client: 
none,z...@openssh.com
[2023/05/30 12:06:28.504482, 4] ssh_list_kex:  languages client->server:
[2023/05/30 12:06:28.504482, 4] ssh_list_kex:  languages server->client:
[2023/05/30 12:06:28.505454, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT 
for socket
[2023/05/30 12:06:28.505454, 4] ssh_socket_unbuffered_write:  wrote 936
[2023/05/30 12:06:28.506430, 3] packet_send2:  packet: wrote [type=20, len=932, 
padding_size=11, comp=920, payload=920]
[2023/05/30 12:06:28.506430, 3] ssh_send_kex:  SSH_MSG_KEXINIT sent
[2023/05/30 12:06:28.507406, 3] ssh_connect:  current state : 4
[2023/05/30 12:06:28.507406, 4] ssh_socket_pollcallback:  Poll callback on 
socket 296 (POLLOUT ), out buffer 0
[2023/05/30 12:06:28.507406, 4] ssh_socket_pollcallback:  sending control flow 
event
[2023/05/30 12:06:28.508382, 4] ssh_packet_socket_controlflow_callback:  
sending channel_write_wontblock callback
[2023/05/30 12:06:28.508382, 3] ssh_connect:  current state : 4
[2023/05/30 12:06:28.535711, 4] ssh_socket_pollcallback:  Poll callback on 
socket 296 (POLLIN ), out buffer 0
[2023/05/30 12:06:28.536686, 4] ssh_socket_unbuffered_read:  read 544
[2023/05/30 12:06:28.537664, 3] ssh_packet_socket_callback:  packet: read type 
20 [len=540,padding=9,comp=530,payload=530]
[2023/05/30 12:06:28.537664, 3] ssh_packet_process:  Dispatching handler for 
packet type 20
[2023/05/30 12:06:28.539616, 4] ssh_packet_kexinit:  KEXINIT received
[2023/05/30 12:06:28.539616, 3] ssh_client_connection_callback:  session_state=5
[2023/05/30 12:06:28.540589, 4] ssh_list_kex:  kex algos: 
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
[2023/05/30 12:06:28.540589, 4] ssh_list_kex:  server host key algo: 
ssh-rsa,ssh-dss
[2023/05/30 12:06:28.541568, 4] ssh_list_kex:  encryption client->server: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se
[2023/05/30 12:06:28.541568, 4] ssh_list_kex:  encryption server->client: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se
[2023/05/30 12:06:28.541568, 4] ssh_list_kex:  mac algo client->server: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
[2023/05/30 12:06:28.542542, 4] ssh_list_kex:  mac algo server->client: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
[2023/05/30 12:06:28.542542, 4] ssh_list_kex:  compression algo client->server: 
none,zlib
[2023/05/30 12:06:28.542542, 4] ssh_list_kex:  compression algo server->client: 
none,zlib
[2023/05/30 12:06:28.543518, 4] ssh_list_kex:  languages client->server:
[2023/05/30 12:06:28.543518, 4] ssh_list_kex:  languages server->client:
[2023/05/30 12:06:28.544493, 1] ssh_kex_select_methods:  kex error : no match for 
method encryption server->client: server 
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se],
 client 
[chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,]
[2023/05/30 12:06:28.544493, 3] ssh_connect:  current state : 9

-----Original Message-----
From: Jakub Jelen <jje...@redhat.com>
Sent: 29 May 2023 11:22
To: libssh@libssh.org
Subject: [EXTERNAL] Re: ssh_options_set not working?

On 5/26/23 17:17, Kerrison, Adam wrote:

Hello

I am trying to enable all supported key exchange methods, ciphers and
HMACs to handle connecting to some truly ancient servers. The setup code is:

    ssh_session session = ssh_new();

    fprintf(stderr, "SETTING KEYEX %s\n", ALL_KEYEX_METHODS);

   if(ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE,
ALL_KEYEX_METHODS) < 0) {

     fprintf(stderr, "FAILED TO SET KEYEX\n");

     }

     fprintf(stderr, "SETTING CIPHERS %s\n", ALL_CIPHERS);

      if(ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, ALL_CIPHERS)
<
0) {

        fprintf(stderr, "FAILED TO SET CIPHERS\n");

    }

    fprintf(stderr, "SETTING HMACS %s\n", ALL_HMACS);

    if(ssh_options_set(session, SSH_OPTIONS_HMAC_C_S, ALL_HMACS) < 0) {

      fprintf(stderr, "FAILED TO SET HMACS\n");

    }

Where the ALL_* values are constants defining all the supports things
(see below)

When I run the code my connection fails. The output is:

SETTING KEYEX
curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nist
p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffi
e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hel
lman-group1-sha1,diffie-hellman-group-exchange-sha1

SETTING CIPHERS
chacha20-poly1305,aes256-...@openssh.com,aes128-...@openssh.com,aes256
-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

SETTING HMACS
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-
e...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1

ERROR: failed to connect: kex error : no match for method kex algos:
server
[diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1],
client
[curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecd
h-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha25
6,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-h
ellman-group18-sha512] (code 2)

So the ssh_options_set() calls aren’t failing but the values don’t
seem to have been applied as the client keyex list doesn’t include the
diffie-helman SHA1 methods that I set?


This API ignores any unknown algorithms, for example to avoid failing hard when 
parsing openssh configuration files. I do not think there is an API to retrieve 
the enabled algorithms, but the ssh_options_get() could be very simply extended 
to return the list of enabled algorithms for double-checking this. Feel free to 
propose the merge request!

The two algorithms supported by the server 
[diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1] are supported 
by libssh master, but they are not enabled by default in current versions. But 
using the ssh_options_set() should enable them.

The list of the algorithms you list in the outputs also differ both in content 
and order which sounds like the setting of the algorithms was not effective for 
some reason.


What am I doing wrong here?


What libssh version are you using? Can you bump the log verbosity and check the 
logs for some more information?

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.




--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.
























					Reply via email to