On Wed, Jun 7, 2023 at 10:52 AM Brad Turnbough <[email protected]> wrote: > > All, > > It appears I've been able to make it work (albeit a bit less secure...) > > Doing a bit of digging on the ESXi side.... > 2023-06-07T14:43:03.793Z sshd[2124552]: FIPS mode initialized > 2023-06-07T14:43:03.793Z sshd[2124552]: Connection from X.Y.Z.A port 52678 > 2023-06-07T14:43:03.796Z sshd[2124552]: Unable to negotiate with X.Y.Z.A port > 52678: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] > > > On ESXi 7 hosts, you may need to edit /etc/ssh/sshd_config > > In my case, I needed to add ssh-rsa to HostKeyAlgorithms. > > I then restarted the SSH service: > /etc/init.d/SSH restart > > > Notes: By default (to my knowledge).... the settings of ESXi7 hosts are: > > HostKeyAlgorithms > ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 > > > Are there any plans to support more secure HostKeyAlgorithms? >
This is dependent on the libssh2 version, which is why I was asking about that. Guacamole doesn't control the host key algorithms, it depends on the underlying libssh2 library to support it, so you'll need to upgrade that library. My CentOS 7 system had 1.8.0 installed, similar to your Ubuntu 20 system, and I ended up just downloading the latest libssh2 (1.11.0) and compiling it, then recompiling guacd and pointing it at the install path of the new libssh2 version. It seems to work fine with that change. Alternatively you can run a different Linux distro for guacd that has the later libssh2 version already available - I would imagine later versions of Ubuntu have a later version, and I know RHEL/CentOS/Rocky 8 do, as well. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
