ssh handshake failed latest libssh2

[cchance <cc...@gmail.com>]

Ok i read that the reason SSH was giving handshake errors was that it was due
to the dockerfile based on centos which had old libssh2 so i wrote my own
dockerfile that builds with 

ENV GUACAMOLE_VERSION 0.9.13-incubating
ENV OPENSSL_VERSION 1.1.0f
ENV LIBSSH2_VERSION 1.8.0

But STILL i'm getting ssh handshake failed everytime i try to ssh to a
switch, works in putty works

As a note the switch seems to use diffie-hellman-group1-sha1

I thought using the latest openssl and libssh2 would fix the issue but
apparently not? Is their somewhere i need to allow specifically sha1 beyond
just upgrading to latest libssh2 before building guacd?



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: ssh handshake failed latest libssh2

[NTMMFTS <ja...@gmail.com>]

Hi,

Same issue trying to SSH to pfSense.  Here are the latest specs from the
pfSense Wiki at doc.pfsense.org for their SSH implementation since version
2.3.2 (current is 2.4.1-RELEASE) which guacamole doesn't seem to support
with libssh2 in 0.9.13-incubating:

-------------------------
NOTE: The ssh host keys were made more secure, and if a client remembers an
older, weaker key, the ssh client may refuse to connect. Remove the older
key and then make the ssh client learn the new key.
Changed sshd to use stronger Key Exchange algorithms and disabled some
older, weaker algorithms. Clients may need to be updated to handle the new
Key Exchange methods.
Currently allowed Key Exchange Algorithms:
curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Removed the ECDSA host key from the sshd configuration
Added ED25519 host key to the sshd configuration
Changed the list of available ciphers.
Current allowed ciphers:
chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
Changed the list of available Message Authentication Code methods,
Current MAC list:
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
-------------------------

And here is a failure from the pfSense log:

-------------------------
fatal: Unable to negotiate with x.x.x.x port xxxxx: no matching key exchange
method found. Their offer:
diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
[preauth]-------------------------

Thanks for any insight on when this might be resolved.

~Jay L.




--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: ssh handshake failed latest libssh2

[cchance <cc...@gmail.com>]

pretty sure as it was a clean dockerfile.

Just to be sure i swapped to ubuntu:artful and and its got 1.8.0-1 libssh in
apt, but STILL getting same problem with i ssh to the switches ssh handshake
failed every time.



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: ssh handshake failed latest libssh2

[Mike Jumper <mi...@guac-dev.org>]

On Thu, Oct 26, 2017 at 8:10 PM, cchance <cc...@gmail.com> wrote:

> Ok i read that the reason SSH was giving handshake errors was that it was
> due
> to the dockerfile based on centos which had old libssh2 so i wrote my own
> dockerfile that builds with
>
> ENV GUACAMOLE_VERSION 0.9.13-incubating
> ENV OPENSSL_VERSION 1.1.0f
> ENV LIBSSH2_VERSION 1.8.0
>
> But STILL i'm getting ssh handshake failed everytime i try to ssh to a
> switch, works in putty works
>
> As a note the switch seems to use diffie-hellman-group1-sha1
>
> I thought using the latest openssl and libssh2 would fix the issue but
> apparently not? Is their somewhere i need to allow specifically sha1 beyond
> just upgrading to latest libssh2 before building guacd?
>

Are you sure that the libssh2 version from the distribution's own packages
is no longer installed?

- Mike