Yeah, Ubuntu 22.04 (the next LTS) has libssh2 version 1.10. I was holding off on upgrading to that OS version until absolutely necessary. Might be a good idea now (now that I also have to upgrade to Guac 1.5.2 to address the security bug).
Brad Thank you, Brad Turnbough Senior Technology Analyst P: 309.272.2739 F: 309.272.2839 www.betterbanks.com www.glasfordbank.com NOTICE: The information contained in this email and any document attached hereto is intended only for the named recipient(s). If you are not the intended recipient, nor the employee or agent responsible for delivering this message in confidence to the intended recipient(s), you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this transmittal or its attachments is strictly prohibited. If you have received this transmittal and/or attachments in error, please notify me immediately by reply e-mail and then delete this message, including any attachments. www.statestreetbank.com-----Original Message----- From: Nick Couchman <[email protected]> Sent: Wednesday, June 7, 2023 10:16 AM To: [email protected] Subject: Re: SSH Connections --- VMWare Hosts On Wed, Jun 7, 2023 at 10:52 AM Brad Turnbough <[email protected]> wrote: > > All, > > It appears I've been able to make it work (albeit a bit less secure...) > > Doing a bit of digging on the ESXi side.... > 2023-06-07T14:43:03.793Z sshd[2124552]: FIPS mode initialized > 2023-06-07T14:43:03.793Z sshd[2124552]: Connection from X.Y.Z.A port 52678 > 2023-06-07T14:43:03.796Z sshd[2124552]: Unable to negotiate with X.Y.Z.A port > 52678: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] > > > On ESXi 7 hosts, you may need to edit /etc/ssh/sshd_config > > In my case, I needed to add ssh-rsa to HostKeyAlgorithms. > > I then restarted the SSH service: > /etc/init.d/SSH restart > > > Notes: By default (to my knowledge).... the settings of ESXi7 hosts are: > > HostKeyAlgorithms > ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 > > > Are there any plans to support more secure HostKeyAlgorithms? > This is dependent on the libssh2 version, which is why I was asking about that. Guacamole doesn't control the host key algorithms, it depends on the underlying libssh2 library to support it, so you'll need to upgrade that library. My CentOS 7 system had 1.8.0 installed, similar to your Ubuntu 20 system, and I ended up just downloading the latest libssh2 (1.11.0) and compiling it, then recompiling guacd and pointing it at the install path of the new libssh2 version. It seems to work fine with that change. Alternatively you can run a different Linux distro for guacd that has the later libssh2 version already available - I would imagine later versions of Ubuntu have a later version, and I know RHEL/CentOS/Rocky 8 do, as well. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
