| View previous topic :: View next topic |
| Author |
Message |
SarahS93
l33t
Joined: 21 Nov 2013
Posts: 693
|
 Posted: Sun Nov 26, 2023 9:33 am Post subject: problem with ssh |
 |
|
whats going wrong here?
i want to go with ssh from the notebook (192.168.0.23) to the desktop computer (192.168.0.1)
| Code: | ssh 192.168.0.1
Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 |
i do try
| Code: | ssh -oHostKeyAlgorithms=+ssh-dss root@192.168.0.1
ssh_dispatch_run_fatal: Connection to 192.168.0.1 port 22: incorrect signature |
|
|
| Back to top |
|
 |
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 370
|
| Posted: Sun Nov 26, 2023 10:26 am Post subject: |
|
|
The SSH server is offering "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519" which are good defaults.
But the SSH client is not able to negotiate with the offered algorithms. I guess, you should create new SSH keys on the client e.g. with ECC | Code: | | ssh-keygen -t ed25519 -a 100 |
, copy the public key and try again.
Workarounds with allowing weak host keys is not recommended.
Last edited by sMueggli on Sun Nov 26, 2023 4:19 pm; edited 1 time in total |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21637
|
| Posted: Sun Nov 26, 2023 4:09 pm Post subject: |
|
|
When debugging a problem with ssh, it is often useful to enable verbose mode to get debug output. In this case, it would be good to know:- Exact versions of the client and server software
- Any custom configuration applicable on both ends
Why did you try enabling ssh-dss? The error message did not mention that. |
|
| Back to top |
|
|
spica
Apprentice
Joined: 04 Jun 2021
Posts: 287
|
| Posted: Sun Nov 26, 2023 7:26 pm Post subject: |
|
|
| How many other keys you have under ~/.ssh directory? |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21637
|
| Posted: Sun Nov 26, 2023 8:35 pm Post subject: |
|
|
| The error appears to be about host keys, not user authentication keys. |
|
| Back to top |
|
|
SarahS93
l33t
Joined: 21 Nov 2013
Posts: 693
|
| Posted: Wed Nov 29, 2023 5:40 am Post subject: |
|
|
there are no keys stored, i use passwords.
ssh client
notebook 192.168.0.23
net-misc/openssh-7.5_p1-r3
ssh server
desktop 192.168.0.1
net-misc/openssh-9.4_p1-r1
| Code: | ssh -vv 192.168.0.1
OpenSSH_7.5p1-hpn14v12lpk, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "192.168.0.1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.0.1 [192.168.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5p1-hpn14v12lpk
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.4
debug1: match: OpenSSH_9.4 pat OpenSSH* compat 0x04000000
debug1: Remote is NON-HPN aware
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.1:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 |
syslog at desktop ssh-server (192.168.0.1) shows me
| Code: | | sshd[9025]: Unable to negotiate with 192.168.0.23 port 50036: no matching host key type found. Their offer: ssh-rsa [preauth] |
|
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 1660
|
| Posted: Wed Nov 29, 2023 1:43 pm Post subject: |
|
|
| SarahS93 wrote: | whats going wrong here?
i want to go with ssh from the notebook (192.168.0.23) to the desktop computer (192.168.0.1)
| Code: | ssh 192.168.0.1
Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 |
i do try
| Code: | ssh -oHostKeyAlgorithms=+ssh-dss root@192.168.0.1
ssh_dispatch_run_fatal: Connection to 192.168.0.1 port 22: incorrect signature |
|
Make that command ssh -oHostKeyAlgorithms=+ssh-ed25519 root@192.168.0.1 .
ssh-ed25519 support was added in OpenSSH 6.5
It may be wise to make this permanent in /etc/ssh/ssh_config (for a system) or ~/.ssh/config (for a user) as many newer servers have this default.
| Code: | Host *
HostKeyAlgorithms +ssh-ed25519 |
|
|
| Back to top |
|
|
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 324
Location: Naarm/Melbourne, Australia
|
| Posted: Thu Nov 30, 2023 2:41 am Post subject: |
|
|
| Further to Hu's comment earlier in the thread, 'host keys' are distinct from 'user authentication keys' - they're used to verify that you're talking to the ssh server you intend to be talking to. Additionally, you can't use a host key algorithm outside of the set offered by the server, so when the server offers you "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519", you have to choose one of those options - which is why your request to use 'ssh-dss' as the host key algorithm is not successful. (Otherwise the ssh server would be vulnerable to downgrade attacks, involving forcing the use of a less secure system with known vulnerabilities, which can then be exploited for nefarious purposes.) |
|
| Back to top |
|
|
Banana
Veteran
Joined: 21 May 2004
Posts: 1392
Location: Germany
|
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 370
|
| Posted: Thu Nov 30, 2023 8:55 am Post subject: |
|
|
| Banana wrote: | | I wonder why those options are needed. With a default setup it should not be? |
The problem is the very old client version net-misc/openssh-7.5_p1-r3. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21637
|
| Posted: Thu Nov 30, 2023 3:52 pm Post subject: |
|
|
| SarahS93 wrote: | | there are no keys stored, i use passwords. |
You probably should not do that. That is not relevant to your current problem, though. | SarahS93 wrote: | ssh client
notebook 192.168.0.23
net-misc/openssh-7.5_p1-r3 |
Why is this so old? openssh-7.5 was removed by Whissi in April 2020 as net-misc/openssh: security cleanup, and even that removal looks a bit belated, since it removes several newer (and yet by then obsolete) versions in the same commit. Thus, your system is at least 3.5 years out of date. It looks like -r3 was added by Whissi in 2017 with net-misc/openssh: Rev bump to fix CVE-2017-15906, and then superseded by -r4 in January 2018 with net-misc/openssh: revbumps for net-libs/ldns dep change, which would put you at around 5.75 years out of date. |
|
| Back to top |
|
|
Banana
Veteran
Joined: 21 May 2004
Posts: 1392
Location: Germany
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
