libssh 0.10.4 无法继续进行密钥交换。

huangapple go评论86阅读模式
英文:

libssh 0.10.4 unable to proceed with key exchange

问题

使用最新的libssh 0.10.4版本时,ssh连接操作在密钥交换阶段失败。以下是日志记录:

[2023/01/09 16:37:44.874356, 2] ssh_connect: libssh 0.10.4 (c) 2003-2022 Aris Adamantiadis, Andreas Schneider和libssh贡献者。根据LGPL分发,请参考COPYING文件了解您的权利,使用线程threads_winlock
[2023/01/09 16:37:44.881334, 3] getai: 主机x.x.x.x与IP地址匹配
[2023/01/09 16:37:44.885324, 2] ssh_socket_connect: 非阻塞连接套接字:512
[2023/01/09 16:37:44.887321, 2] ssh_connect: 套接字正在连接,现在等待回调函数工作
[2023/01/09 16:37:44.887903, 3] ssh_connect: 实际超时:10000
[2023/01/09 16:37:45.139544, 3] ssh_socket_pollcallback: 在连接状态下接收到POLLOUT
[2023/01/09 16:37:45.140542, 1] socket_callback_connected: 套接字连接回调:1 (0)
[2023/01/09 16:37:45.140542, 3] ssh_socket_unbuffered_write: 为套接字启用POLLOUT
[2023/01/09 16:37:45.376008, 3] callback_receive_banner: 收到横幅:SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.377005, 2] ssh_client_connection_callback: SSH服务器横幅:SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.377005, 2] ssh_analyze_banner: 分析横幅:SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.390968, 3] ssh_client_select_hostkeys: 所需主机密钥的顺序:"ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"
[2023/01/09 16:37:45.391964, 1] ssh_known_hosts_read_entries: 无法打开known_hosts文件'C:\Users\xxxxx/.ssh/known_hosts':没有此文件或目录
[2023/01/09 16:37:45.391964, 1] ssh_known_hosts_read_entries: 无法打开known_hosts文件'/etc/ssh/ssh_known_hosts':没有此文件或目录
[2023/01/09 16:37:45.391964, 3] ssh_client_select_hostkeys: 在known_hosts中找不到密钥;将主机密钥方法更改为"ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"
[2023/01/09 16:37:45.391964, 3] ssh_socket_unbuffered_write: 为套接字启用POLLOUT
[2023/01/09 16:37:45.391964, 3] packet_send2: 包:已写入[type=20,len=852,padding_size=7,comp=844,payload=844]
[2023/01/09 16:37:45.392965, 3] ssh_send_kex: 已发送SSH_MSG_KEXINIT
[2023/01/09 16:37:45.626340, 3] ssh_packet_socket_callback: 包:读取类型20 [len=308,padding=4,comp=303,payload=303]
[2023/01/09 16:37:45.627339, 3] ssh_packet_process: 为数据包类型20分派处理程序
[2023/01/09 16:37:45.627339, 1] ssh_kex_select_methods: kex错误:在kex算法中没有匹配的方法:服务器[diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1],客户端[curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]
[2023/01/09 16:37:45.627339, 3] ssh_connect: 当前状态:9

关于为什么失败有什么想法吗?它可以连接到旧的libssh 0.9.4版本,也可以通过putty连接,没有任何问题。我使用了我从源代码编译的带有openssl 1.1.1k的ssh.dll。我是否漏掉了在CMake中选择的任何内容?

英文:

Using the latest libssh 0.10.4 ssh_connect operation is failing at the key exchange step. Following is the log.

    [2023/01/09 16:37:44.874356, 2] ssh_connect:  libssh 0.10.4 (c) 2003-2022 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_winlock
[2023/01/09 16:37:44.881334, 3] getai:  host x.x.x.x matches an IP address
[2023/01/09 16:37:44.885324, 2] ssh_socket_connect:  Nonblocking connection socket: 512
[2023/01/09 16:37:44.887321, 2] ssh_connect:  Socket connecting, now waiting for the callbacks to work
[2023/01/09 16:37:44.887903, 3] ssh_connect:  Actual timeout : 10000
[2023/01/09 16:37:45.139544, 3] ssh_socket_pollcallback:  Received POLLOUT in connecting state
[2023/01/09 16:37:45.140542, 1] socket_callback_connected:  Socket connection callback: 1 (0)
[2023/01/09 16:37:45.140542, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2023/01/09 16:37:45.376008, 3] callback_receive_banner:  Received banner: SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.377005, 2] ssh_client_connection_callback:  SSH server banner: SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.377005, 2] ssh_analyze_banner:  Analyzing banner: SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.390968, 3] ssh_client_select_hostkeys:  Order of wanted host keys: "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"
[2023/01/09 16:37:45.391964, 1] ssh_known_hosts_read_entries:  Failed to open the known_hosts file 'C:\Users\xxxxx/.ssh/known_hosts': No such file or directory
[2023/01/09 16:37:45.391964, 1] ssh_known_hosts_read_entries:  Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
[2023/01/09 16:37:45.391964, 3] ssh_client_select_hostkeys:  No key found in known_hosts; changing host key method to "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"
[2023/01/09 16:37:45.391964, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2023/01/09 16:37:45.391964, 3] packet_send2:  packet: wrote [type=20, len=852, padding_size=7, comp=844, payload=844]
[2023/01/09 16:37:45.392965, 3] ssh_send_kex:  SSH_MSG_KEXINIT sent
[2023/01/09 16:37:45.626340, 3] ssh_packet_socket_callback:  packet: read type 20 [len=308,padding=4,comp=303,payload=303]
[2023/01/09 16:37:45.627339, 3] ssh_packet_process:  Dispatching handler for packet type 20
[2023/01/09 16:37:45.627339, 1] ssh_kex_select_methods:  kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], client [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]
[2023/01/09 16:37:45.627339, 3] ssh_connect:  current state : 9

Any idea about why it is failing? It connects with old libssh 0.9.4 and also via putty without any issues.
I'm using the ssh.dll which I had compiled from source with openssl 1.1.1k.
Did I miss selecting anything from CMake?

答案1

得分: 2

问题在于默认启用的密钥交换算法和主机密钥算法不再与一些旧的SSH服务器兼容。您可以通过在SSH运行时的config文件中设置KexAlgorithmsHostKeyAlgorithms属性来启用它们。

例如:

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa

您还可以在HostKeyAlgorithms列表的末尾添加,ssh-dss,但您可能不需要它,而且只有在使用-DWITH_DSA=ON选项运行cmake时才能正常工作。

英文:

The problem is that the default set of enabled key exchange algorithms and host key algorithms no longer work with some old ssh servers. They can be enabled in the ssh run-time config file by setting the KexAlgorithms and HostKeyAlgorithms properties.

For example:

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa

You could also add ,ssh-dss to the end of the HostKeyAlgorithms list, but you might not need it and it would probably only work if cmake was run with the -DWITH_DSA=ON option.

huangapple
  • 本文由 发表于 2023年1月9日 19:19:49
  • 转载请务必保留本文链接:https://go.coder-hub.com/75056531.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定