Re: [SUPPORT REQUEST] Configuration of libssh host key algos on client

2020-05-27 Thread Andreas Schneider 
On Wednesday, 27 May 2020 08:58:57 CEST Sebastian Kraust wrote:
> Hello,
> 
> thanks for your help. Re-enabling the ssh-rsa via your command works like a
> charm. I will definitely try to update the server as soon as I can,
> though.
 
> Thanks fort he support! This issue is resolved.


FYI:

Future deprecation notice
=

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the "ssh-rsa" public key signature algorithm that depends
on SHA-1 by default in a near-future release.

https://www.openssh.com/txt/release-8.2


-- 
Andreas Schneider a...@cryptomilk.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

Re: [SUPPORT REQUEST] Configuration of libssh host key algos on client

2020-05-25 Thread Jakub Jelen 
On Mon, 2020-05-25 at 15:52 +, Sebastian Kraust wrote:
> Hello libssh-team,
> 
> I am currently working on a project using libssh under the hood, but
> have problems to get it to work. I hope you can provide some help.
> 
> Task
> Write a client for an existing server which cannot be
> changed/configured by me.
> 
> Approach
> Connect to the server using the function `ssh_connect`.
> 
> Error
> kex error : no match for method server host key algo: server [ssh-
> rsa], client [ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-
> nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256]
> 
> Problem
> Due to the restriction that I can only change the client side, I have
> to change the client so that it accepts the ssh-rsa algo.
> According to the docs, it should be capable of doing so.
> 
> Troubleshooting so far
> Added
> PubkeyAcceptedKeyTypes ssh-ed25519*,ssh-rsa*,ssh-dss*,ecdsa-sha2
> to /etc/ssh/sshd_config to allow every algo on the client side.
> 
> I still get the same error. I do believe that the config might not be
> the correct file to configure libssh.
> 
> Can you give me some direction where I have to configure libssh so
> that the client also accepts the ssh-rsa algorithm? If you need more
> information, please let me know.

The server is configured to accept only secure algorithms (eddsa, ecdsa
and rsa with sha2 -- rsa-sha2-512,rsa-sha2-256). You probably
configured your client to use only the old (ssh-rsa), which is not
compatible with the new ones (and not considered secure anymore).

If you need some backward compatibility with old server, append the
SHA2 (rsa-sha2-512,rsa-sha2-256) algorithms, otherwise use only them.

Regards,
Jakub

> Thanks for your help in advance.
> 
> 
> Mit freundlichen Grüßen / Best regards
> 
> i.A. Sebastian Kraust
> Forschungsingenieur / Research Engineer
> 
> b-plus GmbH
> Osterhofener Str. 13 | 93055 Regensburg
> Tel +49 941 46624 208 | Fax +49 991 270302 99
> sebastian.kra...@b-plus.com
> 
> Besucheradresse / Visitor address:
> b-plus automotive GmbH
> Osterhofener Str. 13, 93055 Regensburg, Germany
> 
> Website | XING<
> https://www.xing.com/companies/b-plusgmbh> | FACEBOOK<
> https://www.facebook.com/bplusGmbH/> | LinkedIn<
> https://www.linkedin.com/company/b-plus-gmbh/>
> [cid:image003.jpg@01D632BD.3948FA20]<
> https://www.b-plus.com/de/news-events/newsansicht/article/b-plus-gehoert-zu-bayerns-best-50.html
> >
> 
> b-plus GmbH
> Geschäftsführer / Managing Director: Dipl.-Ing.(FH) Michael Sieg
> Gerichtsstand /Handelsregister / Place of jurisdiction / Commercial
> register: HRB 1753 Deggendorf / Germany
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
> E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
> Absender und löschen Sie diese Mail. Das unerlaubte Kopieren sowie
> die unbefugte Weitergabe dieser Mail ist nicht gestattet.
> This e-mail may contain confidential and/or privileged information.
> If you are not the intended recipient (or have received this e-mail
> in error) please notify the sender immediately and delete this e-
> mail. Any unauthorized copying, disclosure or distribution of the
> contents in this e-mail is strictly forbidden.
> 
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

Re: [SUPPORT REQUEST] Configuration of libssh host key algos on client

2020-05-25 Thread Anderson Sasaki 



- Original Message -
> From: "Sebastian Kraust" 
> To: libssh@libssh.org
> Sent: Monday, May 25, 2020 5:52:15 PM
> Subject: [SUPPORT REQUEST] Configuration of libssh host key algos on client
> 
> Hello libssh-team,
> 
> I am currently working on a project using libssh under the hood, but have
> problems to get it to work. I hope you can provide some help.
> 
> Task
> Write a client for an existing server which cannot be changed/configured by
> me.
> 
> Approach
> Connect to the server using the function `ssh_connect`.
> 
> Error
> kex error : no match for method server host key algo: server [ssh-rsa],
> client
> [ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256]
> 
> Problem
> Due to the restriction that I can only change the client side, I have to
> change the client so that it accepts the ssh-rsa algo.
> According to the docs, it should be capable of doing so.
> 
> Troubleshooting so far
> Added
> PubkeyAcceptedKeyTypes ssh-ed25519*,ssh-rsa*,ssh-dss*,ecdsa-sha2
> to /etc/ssh/sshd_config to allow every algo on the client side.
> 
> I still get the same error. I do believe that the config might not be the
> correct file to configure libssh.
> 
> Can you give me some direction where I have to configure libssh so that the
> client also accepts the ssh-rsa algorithm? If you need more information,
> please let me know.

Hello,

Have you tried to add the configuration locally at user's ~/.ssh/config file?

Regards,
Anderson