英文:
libssh 0.10.4 unable to proceed with key exchange
问题
使用最新的libssh 0.10.4版本时,ssh连接操作在密钥交换阶段失败。以下是日志记录:
[2023/01/09 16:37:44.874356, 2] ssh_connect: libssh 0.10.4 (c) 2003-2022 Aris Adamantiadis, Andreas Schneider和libssh贡献者。根据LGPL分发,请参考COPYING文件了解您的权利,使用线程threads_winlock
[2023/01/09 16:37:44.881334, 3] getai: 主机x.x.x.x与IP地址匹配
[2023/01/09 16:37:44.885324, 2] ssh_socket_connect: 非阻塞连接套接字:512
[2023/01/09 16:37:44.887321, 2] ssh_connect: 套接字正在连接,现在等待回调函数工作
[2023/01/09 16:37:44.887903, 3] ssh_connect: 实际超时:10000
[2023/01/09 16:37:45.139544, 3] ssh_socket_pollcallback: 在连接状态下接收到POLLOUT
[2023/01/09 16:37:45.140542, 1] socket_callback_connected: 套接字连接回调:1 (0)
[2023/01/09 16:37:45.140542, 3] ssh_socket_unbuffered_write: 为套接字启用POLLOUT
[2023/01/09 16:37:45.376008, 3] callback_receive_banner: 收到横幅:SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.377005, 2] ssh_client_connection_callback: SSH服务器横幅:SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.377005, 2] ssh_analyze_banner: 分析横幅:SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.390968, 3] ssh_client_select_hostkeys: 所需主机密钥的顺序:"ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"
[2023/01/09 16:37:45.391964, 1] ssh_known_hosts_read_entries: 无法打开known_hosts文件'C:\Users\xxxxx/.ssh/known_hosts':没有此文件或目录
[2023/01/09 16:37:45.391964, 1] ssh_known_hosts_read_entries: 无法打开known_hosts文件'/etc/ssh/ssh_known_hosts':没有此文件或目录
[2023/01/09 16:37:45.391964, 3] ssh_client_select_hostkeys: 在known_hosts中找不到密钥;将主机密钥方法更改为"ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"
[2023/01/09 16:37:45.391964, 3] ssh_socket_unbuffered_write: 为套接字启用POLLOUT
[2023/01/09 16:37:45.391964, 3] packet_send2: 包:已写入[type=20,len=852,padding_size=7,comp=844,payload=844]
[2023/01/09 16:37:45.392965, 3] ssh_send_kex: 已发送SSH_MSG_KEXINIT
[2023/01/09 16:37:45.626340, 3] ssh_packet_socket_callback: 包:读取类型20 [len=308,padding=4,comp=303,payload=303]
[2023/01/09 16:37:45.627339, 3] ssh_packet_process: 为数据包类型20分派处理程序
[2023/01/09 16:37:45.627339, 1] ssh_kex_select_methods: kex错误:在kex算法中没有匹配的方法:服务器[diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1],客户端[curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]
[2023/01/09 16:37:45.627339, 3] ssh_connect: 当前状态:9
关于为什么失败有什么想法吗?它可以连接到旧的libssh 0.9.4版本,也可以通过putty连接,没有任何问题。我使用了我从源代码编译的带有openssl 1.1.1k的ssh.dll。我是否漏掉了在CMake中选择的任何内容?
英文:
Using the latest libssh 0.10.4 ssh_connect operation is failing at the key exchange step. Following is the log.
[2023/01/09 16:37:44.874356, 2] ssh_connect: libssh 0.10.4 (c) 2003-2022 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_winlock
[2023/01/09 16:37:44.881334, 3] getai: host x.x.x.x matches an IP address
[2023/01/09 16:37:44.885324, 2] ssh_socket_connect: Nonblocking connection socket: 512
[2023/01/09 16:37:44.887321, 2] ssh_connect: Socket connecting, now waiting for the callbacks to work
[2023/01/09 16:37:44.887903, 3] ssh_connect: Actual timeout : 10000
[2023/01/09 16:37:45.139544, 3] ssh_socket_pollcallback: Received POLLOUT in connecting state
[2023/01/09 16:37:45.140542, 1] socket_callback_connected: Socket connection callback: 1 (0)
[2023/01/09 16:37:45.140542, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
[2023/01/09 16:37:45.376008, 3] callback_receive_banner: Received banner: SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.377005, 2] ssh_client_connection_callback: SSH server banner: SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.377005, 2] ssh_analyze_banner: Analyzing banner: SSH-2.0-Cisco-1.25
[2023/01/09 16:37:45.390968, 3] ssh_client_select_hostkeys: Order of wanted host keys: "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"
[2023/01/09 16:37:45.391964, 1] ssh_known_hosts_read_entries: Failed to open the known_hosts file 'C:\Users\xxxxx/.ssh/known_hosts': No such file or directory
[2023/01/09 16:37:45.391964, 1] ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
[2023/01/09 16:37:45.391964, 3] ssh_client_select_hostkeys: No key found in known_hosts; changing host key method to "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"
[2023/01/09 16:37:45.391964, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
[2023/01/09 16:37:45.391964, 3] packet_send2: packet: wrote [type=20, len=852, padding_size=7, comp=844, payload=844]
[2023/01/09 16:37:45.392965, 3] ssh_send_kex: SSH_MSG_KEXINIT sent
[2023/01/09 16:37:45.626340, 3] ssh_packet_socket_callback: packet: read type 20 [len=308,padding=4,comp=303,payload=303]
[2023/01/09 16:37:45.627339, 3] ssh_packet_process: Dispatching handler for packet type 20
[2023/01/09 16:37:45.627339, 1] ssh_kex_select_methods: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1], client [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]
[2023/01/09 16:37:45.627339, 3] ssh_connect: current state : 9
Any idea about why it is failing? It connects with old libssh 0.9.4 and also via putty without any issues.
I'm using the ssh.dll which I had compiled from source with openssl 1.1.1k.
Did I miss selecting anything from CMake?
答案1
得分: 2
问题在于默认启用的密钥交换算法和主机密钥算法不再与一些旧的SSH服务器兼容。您可以通过在SSH运行时的config文件中设置KexAlgorithms和HostKeyAlgorithms属性来启用它们。
例如:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
您还可以在HostKeyAlgorithms列表的末尾添加,ssh-dss,但您可能不需要它,而且只有在使用-DWITH_DSA=ON选项运行cmake时才能正常工作。
英文:
The problem is that the default set of enabled key exchange algorithms and host key algorithms no longer work with some old ssh servers. They can be enabled in the ssh run-time config file by setting the KexAlgorithms and HostKeyAlgorithms properties.
For example:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
You could also add ,ssh-dss to the end of the HostKeyAlgorithms list, but you might not need it and it would probably only work if cmake was run with the -DWITH_DSA=ON option.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论