You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Jorge Lopez <Jo...@eu.equinix.com.INVALID> on 2022/11/22 11:58:26 UTC
OpenSSH-format private keys / Ed25519
Hi,
with Rocky Linux 9 release we are unable to connect to our remote servers caused by host key type.
This is the error traceback:
Nov 22 10:18:13 lm2vergpckeys01 sshd[359955]: Connection closed by ‘ip_address’ port 37578
Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Connection from ‘ip_address’ port 56553 on ‘ip_address’ port 22 rdomain ""
Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Unable to negotiate with ‘ip_address’ port 56553: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
We are using guacd docker image with our own client development.
Is there a workaround without modify this in remote server (security requisites) and enable in guacd?
When is guacd v1.5 expected to be released in which I have seen in the code that this is fixed?
Thanks
Jorge López Díaz
Managed Services Operations Senior Analyst
EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
E jorge.lopez@eu.equinix.com<ma...@eu.equinix.com> | M +34682449912
[signature_155019578] <https://equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1>
[Twitter]<https://twitter.com/equinix>[LinkedIn]<http://www.linkedin.com/company/equinix>[Facebook]<http://www.facebook.com/Equinix>[YouTube]<http://www.youtube.com/user/equinixvideos>
This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
Re: [EXTERNAL] RE: OpenSSH-format private keys / Ed25519
Posted by Michael Jumper <mj...@apache.org>.
On Tue, Nov 22, 2022, 11:53 PM Jorge Lopez
<Jo...@eu.equinix.com.invalid> wrote:
> But we want to avoid doing this (down grade ssh) in new servers. If new
> servers don’t accept this protocol it’s by security reasons and we have a
> lot of new servers that we are unable to connect by this reason.
>
> Is there an option like this, not in the whole servers but on guacd side:
>
> “You could add the following lines to your ~/.ssh/config and/or sshd_config
>
You can install and build the current "staging/1.5.0" branch from
Guacamole's git against a newer libssh2. You may need to build libssh2 from
source if your distro does not offer a new enough version, and you may need
to build from git (see below).
This aspect of behavior is actually dictated by the underlying SSH library,
not Guacamole itself. The only changes on the Guacamole side with respect
to improving key handling were:
* Migrate to recent libssh2's built-in support for reading private keys
from memory (we previously had to do this manually), which supports
OpenSSH's new key format.
* Rearchitect the Docker image build to build libssh2 (and all other
protocol libraries) from their latest release source, so that users don't
need to rely on their distro releasing updated packages.
The issue with recent OpenSSH deprecating and disabling ssh-rsa were noted
here:
https://github.com/libssh2/libssh2/issues/634
I'm not sure whether libssh2 has cut a release with this support. Using an
elliptic curve key could work with the latest libssh2 and "staging/1.5.0"
guac. Using a build of libssh2 from git with "staging/1.5.0" guac should
work with RSA keys and recent OpenSSH, too.
As I ask in the previous mail, is expected to fix this in v1.5 guacd
> release and when is expected the release?
>
Everyone's been pretty busy lately. It should be out this year. Beyond
that, it's difficult to make a more accurate guess.
Please definitely feel free to build the latest from git and give that some
solid testing. The more testing the merrier, and it should also happily
solve your immediate issue.
- Mike
Re: [EXTERNAL] RE: OpenSSH-format private keys / Ed25519
Posted by Jorge Lopez <Jo...@eu.equinix.com.INVALID>.
Hi,
Thanks a lot! We have tested and it’s working as expected!
Regards
Jorge López Díaz
Managed Services Operations Senior Analyst
EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
E jorge.lopez@eu.equinix.com<ma...@eu.equinix.com> | M +34682449912
[signature_438214124] <https://equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1>
[Twitter]<https://twitter.com/equinix>[LinkedIn]<http://www.linkedin.com/company/equinix>[Facebook]<http://www.facebook.com/Equinix>[YouTube]<http://www.youtube.com/user/equinixvideos>
De: MOLINIE Mathieu gmail <ma...@gmail.com>
Fecha: miércoles, 23 de noviembre de 2022, 9:09
Para: user@guacamole.apache.org <us...@guacamole.apache.org>
Asunto: Re: [EXTERNAL] RE: OpenSSH-format private keys / Ed25519
Hi,
We have migrated to a docker version of Guacamole in order to address this issue. The guacd of the current stable release use an old library for handling ssh connexion (i think the culprit is libgcrypt).
The gacd:latest image from linuxserver.io the use openssl3 instead of libgcrypt, and this change solved this problem whithout downgrading security.
Hope it helps,
Mathieu Molinié
Le 23/11/2022 à 08:52, Jorge Lopez a écrit :
But we want to avoid doing this (down grade ssh) in new servers. If new servers don’t accept this protocol it’s by security reasons and we have a lot of new servers that we are unable to connect by this reason.
Is there an option like this, not in the whole servers but on guacd side:
“You could add the following lines to your ~/.ssh/config and/or sshd_config
Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa”
As I ask in the previous mail, is expected to fix this in v1.5 guacd release and when is expected the release?
Thanks
Jorge López Díaz
Managed Services Operations Senior Analyst
EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
E jorge.lopez@eu.equinix.com<ma...@eu.equinix.com> | M +34682449912
[signature_1945051623] <https://urldefense.com/v3/__https:/equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1__;!!PcPv50trKLWG!2ClXp8HJgsLhfu-QihHrMDJVlNZHlZsYoxMa_opPoNeT_qhgHSS5IabBPbrVU45NAhTK__k-q6GrdJJtJ4xUOMpSuOqOrzTr$>
[Twitter]<https://urldefense.com/v3/__https:/twitter.com/equinix__;!!PcPv50trKLWG!2ClXp8HJgsLhfu-QihHrMDJVlNZHlZsYoxMa_opPoNeT_qhgHSS5IabBPbrVU45NAhTK__k-q6GrdJJtJ4xUOMpSuIVhF2cg$>[LinkedIn]<https://urldefense.com/v3/__http:/www.linkedin.com/company/equinix__;!!PcPv50trKLWG!2ClXp8HJgsLhfu-QihHrMDJVlNZHlZsYoxMa_opPoNeT_qhgHSS5IabBPbrVU45NAhTK__k-q6GrdJJtJ4xUOMpSuOxKmiVz$>[Facebook]<https://urldefense.com/v3/__http:/www.facebook.com/Equinix__;!!PcPv50trKLWG!2ClXp8HJgsLhfu-QihHrMDJVlNZHlZsYoxMa_opPoNeT_qhgHSS5IabBPbrVU45NAhTK__k-q6GrdJJtJ4xUOMpSuD3aRVmy$>[YouTube]<https://urldefense.com/v3/__http:/www.youtube.com/user/equinixvideos__;!!PcPv50trKLWG!2ClXp8HJgsLhfu-QihHrMDJVlNZHlZsYoxMa_opPoNeT_qhgHSS5IabBPbrVU45NAhTK__k-q6GrdJJtJ4xUOMpSuDvBylLo$>
De: Sean Hulbert <sh...@securitycentric.net.INVALID>
Fecha: martes, 22 de noviembre de 2022, 17:29
Para: user@guacamole.apache.org<ma...@guacamole.apache.org> <us...@guacamole.apache.org>
Asunto: [EXTERNAL] RE: OpenSSH-format private keys / Ed25519
This is an issue with Openssh and how the keys are handled, you can either adjust the configuration or down grade ssh.
You could add the following lines to your ~/.ssh/config and/or sshd_config
Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.663.5565
Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
[SCILOGOMSP450]
System Award Management
CAGE: 8AUV4
AFCEA San Francisco Chapter V.P.
If you have heard of a hacker by name, he/she has failed, fear the hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
From: Jorge Lopez [mailto:Jorge.Lopez@eu.equinix.com.INVALID]
Sent: Tuesday, November 22, 2022 3:58 AM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: OpenSSH-format private keys / Ed25519
Hi,
with Rocky Linux 9 release we are unable to connect to our remote servers caused by host key type.
This is the error traceback:
Nov 22 10:18:13 lm2vergpckeys01 sshd[359955]: Connection closed by ‘ip_address’ port 37578
Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Connection from ‘ip_address’ port 56553 on ‘ip_address’ port 22 rdomain ""
Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Unable to negotiate with ‘ip_address’ port 56553: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
We are using guacd docker image with our own client development.
Is there a workaround without modify this in remote server (security requisites) and enable in guacd?
When is guacd v1.5 expected to be released in which I have seen in the code that this is fixed?
Thanks
Jorge López Díaz
Managed Services Operations Senior Analyst
EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
E jorge.lopez@eu.equinix.com<ma...@eu.equinix.com> | M +34682449912
[signature_155019578] <https://urldefense.com/v3/__https:/equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5h0mYGG1Q$>
[Twitter]<https://urldefense.com/v3/__https:/twitter.com/equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5gLHwswgA$>[LinkedIn]<https://urldefense.com/v3/__http:/www.linkedin.com/company/equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5jmKyiczw$>[Facebook]<https://urldefense.com/v3/__http:/www.facebook.com/Equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5h01vh-6w$>[YouTube]<https://urldefense.com/v3/__http:/www.youtube.com/user/equinixvideos__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5iPjfIHDg$>
This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
Re: [EXTERNAL] RE: OpenSSH-format private keys / Ed25519
Posted by MOLINIE Mathieu gmail <ma...@gmail.com>.
Hi,
We have migrated to a docker version of Guacamole in order to address
this issue. The guacd of the current stable release use an old library
for handling ssh connexion (i think the culprit is libgcrypt).
The gacd:latest image from linuxserver.io the use openssl3 instead of
libgcrypt, and this change solved this problem whithout downgrading
security.
Hope it helps,
Mathieu Molinié
Le 23/11/2022 à 08:52, Jorge Lopez a écrit :
>
> But we want to avoid doing this (down grade ssh) in new servers. If
> new servers don’t accept this protocol it’s by security reasons and we
> have a lot of new servers that we are unable to connect by this reason.
>
> Is there an option like this, not in the whole servers but on guacd side:
>
> “You could add the following lines to your ~/.ssh/config and/or
> sshd_config
>
> Host *
>
> HostKeyAlgorithms +ssh-rsa
>
> PubkeyAcceptedKeyTypes +ssh-rsa”
>
> As I ask in the previous mail, is expected to fix this in v1.5 guacd
> release and when is expected the release?
>
> Thanks
>
> *Jorge López Díaz *
> Managed Services Operations Senior Analyst
>
> EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
> Ejorge.lopez@eu.equinix.com
> <ma...@eu.equinix.com>|M +34682449912
>
> signature_1945051623
> <https://equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1>
>
>
> Twitter <https://twitter.com/equinix>LinkedIn
> <http://www.linkedin.com/company/equinix>Facebook
> <http://www.facebook.com/Equinix>YouTube
> <http://www.youtube.com/user/equinixvideos>
>
> *De: *Sean Hulbert <sh...@securitycentric.net.INVALID>
> *Fecha: *martes, 22 de noviembre de 2022, 17:29
> *Para: *user@guacamole.apache.org <us...@guacamole.apache.org>
> *Asunto: *[EXTERNAL] RE: OpenSSH-format private keys / Ed25519
>
> This is an issue with Openssh and how the keys are handled, you can
> either adjust the configuration or down grade ssh.
>
> You could add the following lines to your ~/.ssh/config and/or sshd_config
>
> Host *
>
> HostKeyAlgorithms +ssh-rsa
>
> PubkeyAcceptedKeyTypes +ssh-rsa
>
> *Thank You*
>
> *Sean Hulbert*
>
> *Founder / CEO*
>
> *Work Ph: 925.663.5565*
>
> **
>
> *Security Centric Inc.*
>
> *A Cybersecurity Virtualization Enablement Company*
>
> /We don't just run you through the motions, Our labs teach you how to
> think!/
>
> SCILOGOMSP450
>
> System Award Management
>
> *CAGE:**8AUV4*
>
> **
>
> *AFCEA San Francisco Chapter V.P.*
>
> If you have heard of a hacker by name, he/she has failed, fear the
> hacker you haven’t heard of!
>
> *CONFIDENTIALITY NOTICE:*This communication with its contents may
> contain confidential and/or legally privileged information. It is
> solely for the use of the intended recipient(s). Unauthorized
> interception, review, use or disclosure is prohibited and may violate
> applicable laws including the Electronic Communications Privacy Act.
> If you are not the intended recipient, please contact the sender and
> destroy all copies of the communication. Content within this email
> communication is not legally binding as a contract and no promises are
> guaranteed unless in a formal contract outside this email communication.
>
> igitur qui desiderat pacem, praeparet bellum!!!
>
> Epitoma Rei Militaris
>
> *From:*Jorge Lopez [mailto:Jorge.Lopez@eu.equinix.com.INVALID]
> *Sent:* Tuesday, November 22, 2022 3:58 AM
> *To:* user@guacamole.apache.org
> *Subject:* OpenSSH-format private keys / Ed25519
>
> Hi,
>
> with Rocky Linux 9 release we are unable to connect to our remote
> servers caused by host key type.
>
> This is the error traceback:
>
> Nov 22 10:18:13 lm2vergpckeys01 sshd[359955]: Connection closed by
> ‘ip_address’ port 37578
> Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Connection from
> ‘ip_address’ port 56553 on ‘ip_address’ port 22 rdomain ""
> Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Unable to negotiate with
> ‘ip_address’ port 56553: no matching host key type found. Their offer:
> ssh-rsa,ssh-dss [preauth]
>
> We are using guacd docker image with our own client development.
>
> Is there a workaround without modify this in remote server (security
> requisites) and enable in guacd?
>
> When is guacd v1.5 expected to be released in which I have seen in the
> code that this is fixed?
>
> Thanks
>
> *Jorge López Díaz *
> Managed Services Operations Senior Analyst
>
> EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
> Ejorge.lopez@eu.equinix.com <ma...@eu.equinix.com>
> |M +34682449912
>
> signature_155019578
> <https://urldefense.com/v3/__https:/equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5h0mYGG1Q$>
>
>
> Twitter
> <https://urldefense.com/v3/__https:/twitter.com/equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5gLHwswgA$>LinkedIn
> <https://urldefense.com/v3/__http:/www.linkedin.com/company/equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5jmKyiczw$>Facebook
> <https://urldefense.com/v3/__http:/www.facebook.com/Equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5h01vh-6w$>YouTube
> <https://urldefense.com/v3/__http:/www.youtube.com/user/equinixvideos__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5iPjfIHDg$>
>
> This email is from Equinix (EMEA) B.V. or one of its associated
> companies in the territory from where this email has been sent. This
> email, and any files transmitted with it, contains information which
> is confidential, is solely for the use of the intended recipient and
> may be legally privileged. If you have received this email in error,
> please notify the sender and delete this email immediately. Equinix
> (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The
> Netherlands. Registered in The Netherlands No. 57577889.
>
> This email is from Equinix (EMEA) B.V. or one of its associated
> companies in the territory from where this email has been sent. This
> email, and any files transmitted with it, contains information which
> is confidential, is solely for the use of the intended recipient and
> may be legally privileged. If you have received this email in error,
> please notify the sender and delete this email immediately. Equinix
> (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The
> Netherlands. Registered in The Netherlands No. 57577889.
Re: [EXTERNAL] RE: OpenSSH-format private keys / Ed25519
Posted by Jorge Lopez <Jo...@eu.equinix.com.INVALID>.
But we want to avoid doing this (down grade ssh) in new servers. If new servers don’t accept this protocol it’s by security reasons and we have a lot of new servers that we are unable to connect by this reason.
Is there an option like this, not in the whole servers but on guacd side:
“You could add the following lines to your ~/.ssh/config and/or sshd_config
Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa”
As I ask in the previous mail, is expected to fix this in v1.5 guacd release and when is expected the release?
Thanks
Jorge López Díaz
Managed Services Operations Senior Analyst
EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
E jorge.lopez@eu.equinix.com<ma...@eu.equinix.com> | M +34682449912
[signature_1945051623] <https://equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1>
[Twitter]<https://twitter.com/equinix>[LinkedIn]<http://www.linkedin.com/company/equinix>[Facebook]<http://www.facebook.com/Equinix>[YouTube]<http://www.youtube.com/user/equinixvideos>
De: Sean Hulbert <sh...@securitycentric.net.INVALID>
Fecha: martes, 22 de noviembre de 2022, 17:29
Para: user@guacamole.apache.org <us...@guacamole.apache.org>
Asunto: [EXTERNAL] RE: OpenSSH-format private keys / Ed25519
This is an issue with Openssh and how the keys are handled, you can either adjust the configuration or down grade ssh.
You could add the following lines to your ~/.ssh/config and/or sshd_config
Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.663.5565
Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
[SCILOGOMSP450]
System Award Management
CAGE: 8AUV4
AFCEA San Francisco Chapter V.P.
If you have heard of a hacker by name, he/she has failed, fear the hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
From: Jorge Lopez [mailto:Jorge.Lopez@eu.equinix.com.INVALID]
Sent: Tuesday, November 22, 2022 3:58 AM
To: user@guacamole.apache.org
Subject: OpenSSH-format private keys / Ed25519
Hi,
with Rocky Linux 9 release we are unable to connect to our remote servers caused by host key type.
This is the error traceback:
Nov 22 10:18:13 lm2vergpckeys01 sshd[359955]: Connection closed by ‘ip_address’ port 37578
Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Connection from ‘ip_address’ port 56553 on ‘ip_address’ port 22 rdomain ""
Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Unable to negotiate with ‘ip_address’ port 56553: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
We are using guacd docker image with our own client development.
Is there a workaround without modify this in remote server (security requisites) and enable in guacd?
When is guacd v1.5 expected to be released in which I have seen in the code that this is fixed?
Thanks
Jorge López Díaz
Managed Services Operations Senior Analyst
EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
E jorge.lopez@eu.equinix.com<ma...@eu.equinix.com> | M +34682449912
[signature_155019578] <https://urldefense.com/v3/__https:/equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5h0mYGG1Q$>
[Twitter]<https://urldefense.com/v3/__https:/twitter.com/equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5gLHwswgA$>[LinkedIn]<https://urldefense.com/v3/__http:/www.linkedin.com/company/equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5jmKyiczw$>[Facebook]<https://urldefense.com/v3/__http:/www.facebook.com/Equinix__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5h01vh-6w$>[YouTube]<https://urldefense.com/v3/__http:/www.youtube.com/user/equinixvideos__;!!PcPv50trKLWG!3kDvWI9RswWy5ItRgMSAcrtIyOjW4IIpDADbBB9PA-p9h1O0wE-sPHo9kbtykGVGg3FaQxutv6IaDrMFBRU6BdrdMh5rw5iPjfIHDg$>
This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
RE: OpenSSH-format private keys / Ed25519
Posted by Sean Hulbert <sh...@securitycentric.net.INVALID>.
This is an issue with Openssh and how the keys are handled, you can either
adjust the configuration or down grade ssh.
You could add the following lines to your ~/.ssh/config and/or sshd_config
Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.663.5565
Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
System Award Management
CAGE: 8AUV4
AFCEA San Francisco Chapter V.P.
If you have heard of a hacker by name, he/she has failed, fear the hacker
you havent heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the use
of the intended recipient(s). Unauthorized interception, review, use or
disclosure is prohibited and may violate applicable laws including the
Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
From: Jorge Lopez [mailto:Jorge.Lopez@eu.equinix.com.INVALID]
Sent: Tuesday, November 22, 2022 3:58 AM
To: user@guacamole.apache.org
Subject: OpenSSH-format private keys / Ed25519
Hi,
with Rocky Linux 9 release we are unable to connect to our remote servers
caused by host key type.
This is the error traceback:
Nov 22 10:18:13 lm2vergpckeys01 sshd[359955]: Connection closed by
ip_address port 37578
Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Connection from ip_address
port 56553 on ip_address port 22 rdomain ""
Nov 22 10:18:31 lm2vergpckeys01 sshd[359962]: Unable to negotiate with
ip_address port 56553: no matching host key type found. Their offer:
ssh-rsa,ssh-dss [preauth]
We are using guacd docker image with our own client development.
Is there a workaround without modify this in remote server (security
requisites) and enable in guacd?
When is guacd v1.5 expected to be released in which I have seen in the code
that this is fixed?
Thanks
Jorge López Díaz
Managed Services Operations Senior Analyst
EQUINIX | Calle Valgrande 6, 28108, Alcobendas, Madrid, España
E <ma...@eu.equinix.com> jorge.lopez@eu.equinix.com | M
+34682449912
<https://equinix.qualtrics.com/jfe/form/SV_5tZRNCGwOKna7A1>
<https://twitter.com/equinix> <http://www.linkedin.com/company/equinix>
<http://www.facebook.com/Equinix>
<http://www.youtube.com/user/equinixvideos>
This email is from Equinix (EMEA) B.V. or one of its associated companies in
the territory from where this email has been sent. This email, and any files
transmitted with it, contains information which is confidential, is solely
for the use of the intended recipient and may be legally privileged. If you
have received this email in error, please notify the sender and delete this
email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1,
1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No.
57577889.