I managed to get the pipeline to run but the existing merge was still blocked, so I cancelled it and create another. Hopefully that works and the code is ok!
Definitely a learning curve for new users -----Original Message----- From: Jakub Jelen <jje...@redhat.com> Sent: 31 May 2023 16:02 To: libssh@libssh.org Subject: Re: [EXTERNAL] Re: ssh_options_set not working? On 5/31/23 14:49, Kerrison, Adam wrote: > Well I've forked it and tried to create a merge but after asking for > my credit card (really!?) gitlab thinks I am robot. I've given up for > now, I don't have enough time to fight it. Maybe I will look at it > again later I see your merge request, but only one commit from that. Looks like you either deleted your fork or changed it to the private?: https://urldefense.com/v3/__https://gitlab.com/libssh/libssh-mirror/-/merge_requests/378__;!!PEZBYkTc!f3u84gsxMpOapeoSlrhPkCbcBUEukcfCaMTwZ2VaRY26d-UuewqBEFVZE8nzMsN6FdKUrhXzUolrU5zh$ For this you should be able to work without verifying account with your credit card.. but I have account for years so I am not sure about the process. The other option is to send the patches here to the mailing list, if it would be more comfortable for you. > Gitlab seems a hell of a lot more work than github ... sigh Unfortunately, it looks like that is the case for new users. Jakub > -----Original Message----- > From: Jakub Jelen <jje...@redhat.com> > Sent: 31 May 2023 11:59 > To: libssh@libssh.org > Subject: Re: [EXTERNAL] Re: ssh_options_set not working? > > On 5/30/23 17:25, Kerrison, Adam wrote: >> I've made it work 😊 I need to set the server to client options, not the >> client to server ones (obviously). It’s a bit fiddly as there is no way for >> code to get the list of support and default methods. I found functions to do >> this in kex.c but these symbols aren't exposed in the .so/DLL, not sure how >> to do that. > > Good to hear that! Yeah, there can be different lists for different > directions for ciphers and hmacs, but in most of the cases it really makes > sense to set both of the directions to the same algorithms (wondering if we > should not have an API (without the _C_S/_S_C suffixes) to set both of them > to avoid such confusion). > >> I've created a git clone and added my ssh_options_get() changes to >> branch - how do I create a PR? When I try to push I get a 403. I >> might have some other little changes too so being able to push would >> be handy > > You will need to fork the repository on gitlab and push to your fork and then > open a merge request (the same as pull request on github) against the main > repository: > > https://urldefense.com/v3/__https://gitlab.com/libssh/libssh-mirror__; > !!PEZBYkTc!ZMTfG7v0rQO-rpXIO7giiW03FU7rWL7G_vhWrcoPaEv3r-mE7VtMgBj_5m7 > kcLHamC9jn3utIicgSxzB$ > > Regards, > Jakub > >> Thanks >> >> Adam >> >> -----Original Message----- >> From: Kerrison, Adam >> Sent: 30 May 2023 12:11 >> To: libssh@libssh.org >> Subject: RE: [EXTERNAL] Re: ssh_options_set not working? >> >> I am using libssh 0.10.5 on Windows. I've confirmed it was built with >> WITH_GEX=1 (that’s the default and we've turned it off). I've added verbose >> logging at the function level (see below) and tried also setting >> SSH_OPTIONS_HOSTKEYS too. >> >> I also tried implementing support for these options in ssh_options_get() >> which works but the values are initialized to NULL and the existing code >> treats that as an error ☹ My code works to retrieve the value after it has >> been set with ssh_options_set() (you can see that in the log as NEW KEYEX). >> I don't know where the values in the session struct would actually get set >> to handle the initial NULL value. >> >> Here is the log: >> >> SETTING KEYEX >> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nis >> t >> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diff >> i >> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-he >> l >> lman-group1-sha1,diffie-hellman-group-exchange-sha1 >> NEW KEYEX = >> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nis >> t >> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diff >> i >> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-he >> l >> lman-group1-sha1,diffie-hellman-group-exchange-sha1 >> SETTING CIPHERS >> chacha20-poly1305,aes256-...@openssh.com,aes128-...@openssh.com,aes25 >> 6 >> -ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc >> SETTING HMACS >> hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1 >> - >> e...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1 >> SETTING HOST_KEYS >> ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp5 >> 2 1,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss >> [2023/05/30 12:06:28.416222, 2] ssh_connect: libssh 0.10.5 (c) >> 2003-2023 Aris Adamantiadis, Andreas Schneider and libssh >> contributors. Distributed under the LGPL, please refer to COPYING >> file for information about your rights, using threading >> threads_winlock >> [2023/05/30 12:06:28.416222, 3] getai: host 10.49.32.30 matches an >> IP address >> [2023/05/30 12:06:28.417199, 2] ssh_socket_connect: Nonblocking >> connection socket: 296 >> [2023/05/30 12:06:28.423080, 2] ssh_connect: Socket connecting, now >> waiting for the callbacks to work >> [2023/05/30 12:06:28.423080, 3] ssh_connect: current state : 1 >> [2023/05/30 12:06:28.447504, 4] ssh_socket_pollcallback: Poll >> callback on socket 296 (POLLOUT ), out buffer 0 >> [2023/05/30 12:06:28.447504, 3] ssh_socket_pollcallback: Received >> POLLOUT in connecting state >> [2023/05/30 12:06:28.448483, 1] socket_callback_connected: Socket >> connection callback: 1 (0) >> [2023/05/30 12:06:28.455678, 3] ssh_client_connection_callback: >> session_state=2 >> [2023/05/30 12:06:28.456656, 3] ssh_socket_unbuffered_write: >> Enabling POLLOUT for socket >> [2023/05/30 12:06:28.458607, 4] ssh_socket_unbuffered_write: wrote >> 23 >> [2023/05/30 12:06:28.458607, 3] ssh_connect: current state : 2 >> [2023/05/30 12:06:28.463486, 4] ssh_socket_pollcallback: Poll >> callback on socket 296 (POLLOUT ), out buffer 0 >> [2023/05/30 12:06:28.463486, 3] ssh_connect: current state : 2 >> [2023/05/30 12:06:28.479142, 4] ssh_socket_pollcallback: Poll >> callback on socket 296 (POLLIN ), out buffer 0 >> [2023/05/30 12:06:28.480078, 4] ssh_socket_unbuffered_read: read 25 >> [2023/05/30 12:06:28.480078, 3] callback_receive_banner: Received >> banner: SSH-1.99-OpenSSH_3.6.1p2 >> [2023/05/30 12:06:28.486309, 3] ssh_client_connection_callback: >> session_state=3 >> [2023/05/30 12:06:28.486910, 2] ssh_client_connection_callback: SSH >> server banner: SSH-1.99-OpenSSH_3.6.1p2 >> [2023/05/30 12:06:28.486910, 2] ssh_analyze_banner: Analyzing banner: >> SSH-1.99-OpenSSH_3.6.1p2 >> [2023/05/30 12:06:28.487886, 2] ssh_analyze_banner: We are talking >> to an OpenSSH server version: 3.6 (30600) >> [2023/05/30 12:06:28.488862, 3] ssh_client_select_hostkeys: Order of wanted >> host keys: >> "ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa" >> [2023/05/30 12:06:28.490854, 1] ssh_known_hosts_read_entries: Failed >> to open the known_hosts file 'C:\Users\adam/.ssh/known_hosts': No >> such file or directory >> [2023/05/30 12:06:28.490854, 1] ssh_known_hosts_read_entries: Failed >> to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file >> or directory >> [2023/05/30 12:06:28.495720, 3] ssh_client_select_hostkeys: No key found in >> known_hosts; changing host key method to >> "ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa" >> [2023/05/30 12:06:28.495720, 4] ssh_send_kex: Sending KEXINIT >> packet, first_kex_packet_follows = 0 >> [2023/05/30 12:06:28.496670, 4] ssh_list_kex: kex algos: >> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nis >> t >> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diff >> i >> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-he >> l lman-group1-sha1,diffie-hellman-group-exchange-sha1,ext-info-c >> [2023/05/30 12:06:28.496670, 4] ssh_list_kex: server host key algo: >> ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp5 >> 2 >> 1,rsa-sha2-512,rsa-sha2-256,ssh-rsa >> [2023/05/30 12:06:28.497646, 4] ssh_list_kex: encryption >> client->server: >> aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,a >> e s128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc >> [2023/05/30 12:06:28.497646, 4] ssh_list_kex: encryption >> server->client: >> chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-gcm@opens >> s h.com,aes256-ctr,aes192-ctr,aes128-ctr, >> [2023/05/30 12:06:28.498621, 4] ssh_list_kex: mac algo >> client->server: >> hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1 >> - >> e...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1 >> [2023/05/30 12:06:28.498621, 4] ssh_list_kex: mac algo >> server->client: >> hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha2 >> - >> 256,hmac-sha2-512 >> [2023/05/30 12:06:28.503515, 4] ssh_list_kex: compression algo >> client->server: none,z...@openssh.com >> [2023/05/30 12:06:28.503515, 4] ssh_list_kex: compression algo >> server->client: none,z...@openssh.com >> [2023/05/30 12:06:28.504482, 4] ssh_list_kex: languages client->server: >> [2023/05/30 12:06:28.504482, 4] ssh_list_kex: languages server->client: >> [2023/05/30 12:06:28.505454, 3] ssh_socket_unbuffered_write: >> Enabling POLLOUT for socket >> [2023/05/30 12:06:28.505454, 4] ssh_socket_unbuffered_write: wrote >> 936 >> [2023/05/30 12:06:28.506430, 3] packet_send2: packet: wrote >> [type=20, len=932, padding_size=11, comp=920, payload=920] >> [2023/05/30 12:06:28.506430, 3] ssh_send_kex: SSH_MSG_KEXINIT sent >> [2023/05/30 12:06:28.507406, 3] ssh_connect: current state : 4 >> [2023/05/30 12:06:28.507406, 4] ssh_socket_pollcallback: Poll >> callback on socket 296 (POLLOUT ), out buffer 0 >> [2023/05/30 12:06:28.507406, 4] ssh_socket_pollcallback: sending >> control flow event >> [2023/05/30 12:06:28.508382, 4] >> ssh_packet_socket_controlflow_callback: sending >> channel_write_wontblock callback >> [2023/05/30 12:06:28.508382, 3] ssh_connect: current state : 4 >> [2023/05/30 12:06:28.535711, 4] ssh_socket_pollcallback: Poll >> callback on socket 296 (POLLIN ), out buffer 0 >> [2023/05/30 12:06:28.536686, 4] ssh_socket_unbuffered_read: read 544 >> [2023/05/30 12:06:28.537664, 3] ssh_packet_socket_callback: packet: >> read type 20 [len=540,padding=9,comp=530,payload=530] >> [2023/05/30 12:06:28.537664, 3] ssh_packet_process: Dispatching >> handler for packet type 20 >> [2023/05/30 12:06:28.539616, 4] ssh_packet_kexinit: KEXINIT received >> [2023/05/30 12:06:28.539616, 3] ssh_client_connection_callback: >> session_state=5 >> [2023/05/30 12:06:28.540589, 4] ssh_list_kex: kex algos: >> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >> [2023/05/30 12:06:28.540589, 4] ssh_list_kex: server host key algo: >> ssh-rsa,ssh-dss >> [2023/05/30 12:06:28.541568, 4] ssh_list_kex: encryption >> client->server: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25 >> 6 >> -cbc,rijndael-...@lysator.liu.se >> [2023/05/30 12:06:28.541568, 4] ssh_list_kex: encryption >> server->client: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25 >> 6 >> -cbc,rijndael-...@lysator.liu.se >> [2023/05/30 12:06:28.541568, 4] ssh_list_kex: mac algo >> client->server: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha >> 1 >> -96,hmac-md5-96 >> [2023/05/30 12:06:28.542542, 4] ssh_list_kex: mac algo >> server->client: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha >> 1 >> -96,hmac-md5-96 >> [2023/05/30 12:06:28.542542, 4] ssh_list_kex: compression algo >> client->server: none,zlib >> [2023/05/30 12:06:28.542542, 4] ssh_list_kex: compression algo >> server->client: none,zlib >> [2023/05/30 12:06:28.543518, 4] ssh_list_kex: languages client->server: >> [2023/05/30 12:06:28.543518, 4] ssh_list_kex: languages server->client: >> [2023/05/30 12:06:28.544493, 1] ssh_kex_select_methods: kex error : >> no match for method encryption server->client: server >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2 >> 5 6-cbc,rijndael-...@lysator.liu.se], client >> [chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-gcm@open >> s sh.com,aes256-ctr,aes192-ctr,aes128-ctr,] >> [2023/05/30 12:06:28.544493, 3] ssh_connect: current state : 9 >> >> -----Original Message----- >> From: Jakub Jelen <jje...@redhat.com> >> Sent: 29 May 2023 11:22 >> To: libssh@libssh.org >> Subject: [EXTERNAL] Re: ssh_options_set not working? >> >> On 5/26/23 17:17, Kerrison, Adam wrote: >>> Hello >>> >>> I am trying to enable all supported key exchange methods, ciphers >>> and HMACs to handle connecting to some truly ancient servers. The setup >>> code is: >>> >>>  ssh_session session = ssh_new(); >>> >>>   fprintf(stderr, "SETTING KEYEX %s\n", ALL_KEYEX_METHODS); >>> >>>  if(ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, >>> ALL_KEYEX_METHODS) < 0) { >>> >>>    fprintf(stderr, "FAILED TO SET KEYEX\n"); >>> >>>   } >>> >>>   fprintf(stderr, "SETTING CIPHERS %s\n", ALL_CIPHERS); >>> >>>    if(ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, >>> ALL_CIPHERS) < >>> 0) { >>> >>>      fprintf(stderr, "FAILED TO SET CIPHERS\n"); >>> >>>  } >>> >>>  fprintf(stderr, "SETTING HMACS %s\n", ALL_HMACS); >>> >>>  if(ssh_options_set(session, SSH_OPTIONS_HMAC_C_S, ALL_HMACS) < >>> 0) { >>> >>>    fprintf(stderr, "FAILED TO SET HMACS\n"); >>> >>>  } >>> >>> Where the ALL_* values are constants defining all the supports >>> things (see below) >>> >>> When I run the code my connection fails. The output is: >>> >>> SETTING KEYEX >>> curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-ni >>> s >>> t >>> p521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,dif >>> f >>> i >>> e-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-h >>> e >>> l >>> lman-group1-sha1,diffie-hellman-group-exchange-sha1 >>> >>> SETTING CIPHERS >>> chacha20-poly1305,aes256-...@openssh.com,aes128-...@openssh.com,aes2 >>> 5 >>> 6 >>> -ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc >>> >>> SETTING HMACS >>> hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha >>> 1 >>> - >>> e...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1 >>> >>> ERROR: failed to connect: kex error : no match for method kex algos: >>> server >>> [diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1], >>> client >>> [curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,e >>> c >>> d >>> h-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha >>> 2 >>> 5 >>> 6,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie >>> - >>> h >>> ellman-group18-sha512] (code 2) >>> >>> So the ssh_options_set() calls aren’t failing but the values don’t >>> seem to have been applied as the client keyex list doesn’t include >>> the diffie-helman SHA1 methods that I set? >> >> This API ignores any unknown algorithms, for example to avoid failing hard >> when parsing openssh configuration files. I do not think there is an API to >> retrieve the enabled algorithms, but the ssh_options_get() could be very >> simply extended to return the list of enabled algorithms for double-checking >> this. Feel free to propose the merge request! >> >> The two algorithms supported by the server >> [diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1] are >> supported by libssh master, but they are not enabled by default in current >> versions. But using the ssh_options_set() should enable them. >> >> The list of the algorithms you list in the outputs also differ both in >> content and order which sounds like the setting of the algorithms was not >> effective for some reason. >> >>> What am I doing wrong here? >> >> What libssh version are you using? Can you bump the log verbosity and check >> the logs for some more information? >> >> Regards, >> -- >> Jakub Jelen >> Crypto Team, Security Engineering >> Red Hat, Inc. >> >> > > -- > Jakub Jelen > Crypto Team, Security Engineering > Red Hat, Inc. > > -- Jakub Jelen Crypto Team, Security Engineering Red Hat, Inc.
