Re: SSH handshake failed: only RSA keys possible?
On Sat, Dec 23, 2017 at 10:41 PM, NTMMFTSwrote: > It appears that libssh2 includes the aes256-cbc key exchange method > supported > by pfSense, so I modded the ssh.c code and let it compile during > installation using hanaciamiento's guacamole install script > (https://sourceforge.net/projects/guacamoleinstallscript/), but guacamole > won't load at all afterwards. > > Here's the code and where I inserted it in ssh.c in the > guac_common_ssh_create_session function: > > /* Open SSH session */ > // existing code > > /* added preferred method for key exchange method supported by > pfSense */ > int returnval = libssh2_session_method_pref(session, > LIBSSH2_METHOD_CRYPT_CS, "aes256-cbc"); > if (returnval != 0) { > guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR, > "Setting session preferred key exchange method to > AES256-CBC > failed."); > free(common_session); > close(fd); > return NULL; > } > > /* Perform handshake */ > // existing code > First, I don't think this should be necessary to get it working if libssh2 supports that crypt method. I believe it will use any supported method without having to set it as a preferred method, no? That said, setting it as preferred should not impede the connection, either, so this should be fine. > > Anyone want to comment on this approach or try to get it working? > With guacd in debug mode (guacd -L debug), what messages do you see during the SSH connection? Also, when you say it "won't load at all with it afterwards," what does this mean? It segfaults? Or guacd runs but the connection doesn't start? Or sometihng else? -Nick
Re: SSH handshake failed: only RSA keys possible?
It appears that libssh2 includes the aes256-cbc key exchange method supported by pfSense, so I modded the ssh.c code and let it compile during installation using hanaciamiento's guacamole install script (https://sourceforge.net/projects/guacamoleinstallscript/), but guacamole won't load at all afterwards. Here's the code and where I inserted it in ssh.c in the guac_common_ssh_create_session function: /* Open SSH session */ // existing code /* added preferred method for key exchange method supported by pfSense */ int returnval = libssh2_session_method_pref(session, LIBSSH2_METHOD_CRYPT_CS, "aes256-cbc"); if (returnval != 0) { guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR, "Setting session preferred key exchange method to AES256-CBC failed."); free(common_session); close(fd); return NULL; } /* Perform handshake */ // existing code Anyone want to comment on this approach or try to get it working? Thanks! Jay L -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: SSH handshake failed: only RSA keys possible?
Hello Nick, thanks for the clarification! So libssl2 ist to blame - seems to be a little antiquated... Thanks for the proposal to add some documentation. I would suggest the description of the parameter "private-key": - a reference to libssl2 - Maybe you could also write that the private key has to be pasted as text. Many people believe that a filename has to be given. TIA, Flittermice -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
SSH handshake failed: only RSA keys possible?
I'm using version 0.9.13. My goal was to make a SSH connection to a host using my existing ed25519 keys. But I permanently got "SSH handshake failed" in guacd. So I have spent many hours of searching for the reason. Finally it turned out that it is only possible to use RSA keys: 1. ECDSA and Ed25519 private keys will not work because Guacamole won't be able to recognize the key format. 2. I configured my server to send an Ed25519 host key. This was the reason for the "SSH handshake failed" errors. Switching back to RSA keys solved the problem for me. Should this behaviour be documented? Or should the new key types be implemented? Or am I missing something? Thanks! Flittermice -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/