You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "nunnsby (Jira)" <ji...@apache.org> on 2022/12/29 23:48:00 UTC

[jira] [Commented] (GUACAMOLE-1619) SSH Server > 8.5 - Guacamole

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652974#comment-17652974 ] 

nunnsby commented on GUACAMOLE-1619:
------------------------------------

Still a problem for new docker container builds as of last night, 2022-12-29, using the latest git clone. Work around is still to change the server side sshd-config file.

Any news on when we expect to see the latest libssh library make it's way into the source, or when we'll we'll be able to get a new docker image with the libssh fix?

It's becoming more common place to see issues now (for me at least) as I connect to more recent servers. Specifically all new Ubuntu Servers in the last 3 months at least have updated server libraries, so it won't connect without updating the server config.

> SSH Server > 8.5 - Guacamole
> ----------------------------
>
>                 Key: GUACAMOLE-1619
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1619
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole
>    Affects Versions: 1.4.0
>         Environment: Ubuntu LTS 22.04 / Docker with latest guacamole image
>            Reporter: Kenneth D'hoe
>            Priority: Major
>
> Not able to SSH to ubuntu 22.04 LTS host from latest dockerized guacamole.
> On the remote server i receive the error: Unable to negotiate with xx.xx.xx.xx port 44138: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
> SSH Version on remote host: user@hostname:~# ssh -V
> OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
> Looks like guacamole is not able to use newer key algorithms ?
>  
> Workarround:
> Add below to sshd config. 
> {{HostKeyAlgorithms=ssh-rsa,ssh-rsa-cert-v01@openssh.com
> PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com}}
>  
> Disclaimer:
> Warning! As mentioned in the OpenSSH man, enable the old rsa-sha1 algorithm has a risk. rsa-sha1 is now being classified as breached since it costs less then 50K to calculate a collision hash.  
>  
> Debug Log:
> {code:java}
> Jun  3 09:36:49 hostname sshd[1053815]: debug1: Forked child 1054212.
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: Set /proc/self/oom_score_adj to 0
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: inetd sockets after dupping: 4, 4
> Jun  3 09:36:49 hostname sshd[1054212]: Connection from 172.23.0.2 port 44142 on 172.31.15.16 port 22 rdomain ""
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: Remote protocol version 2.0, remote software version libssh2_1.8.0
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: compat_banner: no match: libssh2_1.8.0
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: permanently_set_uid: 106/65534 [preauth]
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: SSH2_MSG_KEXINIT sent [preauth]
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: SSH2_MSG_KEXINIT received [preauth]
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 [preauth]
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: kex: host key algorithm: (no match) [preauth]
> Jun  3 09:36:49 hostname sshd[1054212]: Unable to negotiate with 172.23.0.2 port 44142: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: do_cleanup [preauth]
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: monitor_read_log: child log fd closed
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: do_cleanup
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: Killing privsep child 1054213
> Jun  3 09:36:49 hostname sshd[1054212]: debug1: audit_event: unhandled event 12{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)