Re: SSH handshake failed: only RSA keys possible?

2017-12-24 Thread Nick Couchman 
On Sat, Dec 23, 2017 at 10:41 PM, NTMMFTS  wrote:

> It appears that libssh2 includes the aes256-cbc key exchange method
> supported
> by pfSense, so I modded the ssh.c code and let it compile during
> installation using hanaciamiento's guacamole install script
> (https://sourceforge.net/projects/guacamoleinstallscript/), but guacamole
> won't load at all afterwards.
>
> Here's the code and where I inserted it in ssh.c in the
> guac_common_ssh_create_session function:
>
> /* Open SSH session */
> // existing code
>
> /* added preferred method for key exchange method supported by
> pfSense */
> int returnval = libssh2_session_method_pref(session,
> LIBSSH2_METHOD_CRYPT_CS, "aes256-cbc");
> if (returnval != 0) {
> guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
> "Setting session preferred key exchange method to
> AES256-CBC
> failed.");
> free(common_session);
> close(fd);
> return NULL;
> }
>
> /* Perform handshake */
> // existing code
>

First, I don't think this should be necessary to get it working if libssh2
supports that crypt method.  I believe it will use any supported method
without having to set it as a preferred method, no?  That said, setting it
as preferred should not impede the connection, either, so this should be
fine.


>
> Anyone want to comment on this approach or try to get it working?
>

With guacd in debug mode (guacd -L debug), what messages do you see during
the SSH connection?  Also, when you say it "won't load at all with it
afterwards," what does this mean?  It segfaults?  Or guacd runs but the
connection doesn't start?  Or sometihng else?

-Nick

Re: SSH handshake failed: only RSA keys possible?

2017-12-23 Thread NTMMFTS 
It appears that libssh2 includes the aes256-cbc key exchange method supported
by pfSense, so I modded the ssh.c code and let it compile during
installation using hanaciamiento's guacamole install script
(https://sourceforge.net/projects/guacamoleinstallscript/), but guacamole
won't load at all afterwards.

Here's the code and where I inserted it in ssh.c in the
guac_common_ssh_create_session function:

/* Open SSH session */
// existing code

/* added preferred method for key exchange method supported by pfSense 
*/
int returnval = libssh2_session_method_pref(session,
LIBSSH2_METHOD_CRYPT_CS, "aes256-cbc");
if (returnval != 0) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
"Setting session preferred key exchange method to AES256-CBC
failed.");
free(common_session);
close(fd);
return NULL;
}

/* Perform handshake */
// existing code

Anyone want to comment on this approach or try to get it working?

Thanks!

Jay L 



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SSH handshake failed: only RSA keys possible?

2017-11-23 Thread flittermice 
Hello Nick,

thanks for the clarification! So libssl2 ist to blame - seems to be a little
antiquated...

Thanks for the proposal to add some documentation. 
I would suggest the description of the parameter "private-key":
- a reference to libssl2
- Maybe you could also write that the private key has to be pasted as text.
Many people believe that a filename has to be given.

TIA,
Flittermice



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

SSH handshake failed: only RSA keys possible?

2017-11-22 Thread flittermice 
I'm using version 0.9.13. My goal was to make a SSH connection to a host
using my existing ed25519 keys. But I permanently got "SSH handshake failed"
in guacd.

So I have spent many hours of searching for the reason. Finally it turned
out that it is only possible to use RSA keys:
1. ECDSA and Ed25519 private keys will not work because Guacamole won't be
able to recognize the key format.
2. I configured my server to send an Ed25519 host key. This was the reason
for the "SSH handshake failed" errors.

Switching back to RSA keys solved the problem for me.

Should this behaviour be documented? Or should the new key types be
implemented? 
Or am I missing something? 

Thanks!
Flittermice



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/