Suddenly can't connect (VSC or SSHFS upgrade?)

"Error while connecting to SSH FS slynux: Handshake failed: no matching key exchange algorithm"

This wasn't an issue just recently, and I don't think anything changed on the server-side.

(192.168.1.11 = "slynux")

❯ nmap --script ssh2-enum-algos -sV -p 22 192.168.1.11 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-19 12:37 PST
Nmap scan report for 192.168.1.11
Host is up (0.00062s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)
| ssh2-enum-algos: 
|   kex_algorithms: (3)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       diffie-hellman-group-exchange-sha256
|   server_host_key_algorithms: (4)
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-rsa
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes256-gcm@openssh.com
|       aes128-gcm@openssh.com
|       aes256-ctr
|       aes192-ctr
|       aes128-ctr
|   mac_algorithms: (6)
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-512
|       hmac-sha2-256
|       umac-128@openssh.com
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.64 seconds

[INFO]    [createSocket(slynux)] Creating socket
[DEBUG]   [createSocket(slynux)] Connecting to 192.168.1.11:22
[INFO]    [createSSH(slynux)] Flag "DF-GE" not specified, disabling DiffieHellman kex groupex algorithms
[DEBUG]   [createSSH(slynux)]   Resulting algorithms.kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1
[ERROR]   [createSSH(slynux)] Handshake failed: no matching key exchange algorithm
Logged at:
    at T.<anonymous> (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/2.extension.js:1:6494)
    at T.emit (events.js:223:5)
    at ae.<anonymous> (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:21144)
    at ae.emit (events.js:228:7)
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:183819
Reported from createSSH(slynux)
[ERROR]   Error while connecting to SSH FS slynux:
Handshake failed: no matching key exchange algorithm
Logged at:
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/extension.js:1:29569
    at processTicksAndRejections (internal/process/task_queues.js:94:5)
[ERROR]   Handshake failed: no matching key exchange algorithm
JSON: {"level":"handshake"}
Error: Handshake failed: no matching key exchange algorithm
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:183732
    at o (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:188132)
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:183156
    at ae.<anonymous> (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:188362)
    at ae.emit (events.js:223:5)
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:205969
    at ce (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:205989)
    at ae._transform (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:222199)
    at ae.Transform._read (_stream_transform.js:189:10)
Logged at:
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/extension.js:1:29635
    at processTicksAndRejections (internal/process/task_queues.js:94:5)

(I am filing this instead of #239 since #239 mentions a fix applied, and I'm already running 1.19.3 and experiencing this issue.)

It might actually be the fix for #239 that's causing this issue. That fix consists of disabling all key exchange algorithms that include diffie-hellman-group-exchange in their name. The client still supports several other algorithms by default, while the server should also support different ones.

What's the server OS you're trying to connect to? If you add "debug": true to your SSH FS config (in your settings.json), the log will show some more information, including which key exchange algorithms the server reported as available.

From your first message, it appears your server supports the following:

curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group-exchange-sha256

While the client uses these by default:

ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha1

Since diffie-hellman-group-exchange-sha256 got disabled by #239, that explains why it suddenly started happening.

Two quick solutions:

Add "sshfs.flags": ["DF-GE"] to your settings.json to stop the extension from removing the DH exchange. While this should crash in VS Code 1.53.0 and later, maybe you're lucky and VSCode OSS is unaffected
Configure your remote server to make one of the other group exchange algorithms available. You can see here that there are some other algorithms available that aren't enabled by default (diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1, both less secure and not even enabled on your server right now). Activate by adding e.g. "algorithms": { "kex": ["diffie-hellman-group14-sha1"] }" to your SSH FS config in your settings.json.

The first solution might be all you need, assuming VSCode OSS didn't update to Electron v11 (yet?). Otherwise, OpenSSH 8.4 supports several kex algorithms, so enabling some more should be quite easy.

@SchoofsKelvin all of my machines run NixOS. If you squint at this file, you can sort of see how it's configured: https://github.com/NixOS/nixpkgs/blob/8005587c64054d62a4564c9f4ede1083885f58b9/nixos/modules/services/networking/ssh/sshd.nix#L269-L327

Alternatively, here's the relevant bit of sshd_config from the target machine:


KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

And here's the debug log:

[INFO]    [createConnection(slynux,config)] Creating a new connection for 'slynux'
[INFO]    Calculating actual config
[DEBUG]     Final configuration:
{
    "name": "slynux",
    "host": "192.168.1.11",
    "root": "/home/cole/",
    "agent": "/run/user/1000/sshagent",
    "username": "cole",
    "debug": true,
    "_location": 1,
    "_locations": [
        1
    ],
    "_calculated": {
        "name": "slynux",
        "host": "192.168.1.11",
        "root": "/home/cole/",
        "agent": "/run/user/1000/sshagent",
        "username": "cole",
        "debug": true,
        "_location": 1,
        "_locations": [
            1
        ]
    }
}
[INFO]    [createSocket(slynux)] Creating socket
[DEBUG]   [createSocket(slynux)] Connecting to 192.168.1.11:22
[INFO]    [createSSH(slynux)] Flag "DF-GE" not specified, disabling DiffieHellman kex groupex algorithms
[DEBUG]   [createSSH(slynux)]   Resulting algorithms.kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1
[DEBUG]   [ssh2(slynux)] DEBUG: Local ident: 'SSH-2.0-ssh2js0.4.10'
[DEBUG]   [ssh2(slynux)] DEBUG: Parser: IN_INIT
[DEBUG]   [ssh2(slynux)] DEBUG: Parser: IN_GREETING
[DEBUG]   [ssh2(slynux)] DEBUG: Parser: IN_HEADER
[DEBUG]   [ssh2(slynux)] DEBUG: Remote ident: 'SSH-2.0-OpenSSH_8.4'
[DEBUG]   [ssh2(slynux)] DEBUG: Outgoing: Writing KEXINIT
[DEBUG]   [ssh2(slynux)] DEBUG: Parser: IN_PACKETBEFORE (expecting 8)
[DEBUG]   [ssh2(slynux)] DEBUG: Parser: IN_PACKET
[DEBUG]   [ssh2(slynux)] DEBUG: Parser: pktLen:724,padLen:9,remainLen:720
[DEBUG]   [ssh2(slynux)] DEBUG: Parser: IN_PACKETDATA
[DEBUG]   [ssh2(slynux)] DEBUG: Parser: IN_PACKETDATAAFTER, packet: KEXINIT
[DEBUG]   [ssh2(slynux)] DEBUG: Comparing KEXINITs ...
[DEBUG]   [ssh2(slynux)] DEBUG: (local) KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1
[DEBUG]   [ssh2(slynux)] DEBUG: (remote) KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
[DEBUG]   [ssh2(slynux)] DEBUG: No matching key exchange algorithm
[ERROR]   [createSSH(slynux)] Handshake failed: no matching key exchange algorithm
Logged at:
    at T.<anonymous> (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/2.extension.js:1:6494)
    at T.emit (events.js:223:5)
    at ae.<anonymous> (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:21144)
    at ae.emit (events.js:228:7)
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:183819
Reported from createSSH(slynux)
[DEBUG]   [ssh2(slynux)] DEBUG: Outgoing: Writing DISCONNECT (KEY_EXCHANGE_FAILED)
[ERROR]   Error while connecting to SSH FS slynux:
Handshake failed: no matching key exchange algorithm
Logged at:
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/extension.js:1:29569
    at processTicksAndRejections (internal/process/task_queues.js:94:5)
[ERROR]   Handshake failed: no matching key exchange algorithm
JSON: {"level":"handshake"}
Error: Handshake failed: no matching key exchange algorithm
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:183732
    at o (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:188132)
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:183156
    at ae.<anonymous> (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:188362)
    at ae.emit (events.js:223:5)
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:205969
    at ce (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:205989)
    at ae._transform (/home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/0.extension.js:1:222199)
    at ae.Transform._read (_stream_transform.js:189:10)
Logged at:
    at /home/cole/.vscode-oss/extensions/kelvin.vscode-sshfs-1.19.3/dist/extension.js:1:29635
    at processTicksAndRejections (internal/process/task_queues.js:94:5)

I'll try the suggested workarounds and report back. Thanks for SSH-FS and the fast reply @SchoofsKelvin !

The "DF-GE" workaround, works. But it looks like this is because NixOS is behind. I'm only running 1.52.1. I'll have a go at updating and again report back. Though, I may wind up staying on this version of Codium until the Electron updates all cascade up.

Thanks again for the detailed explanation.

The best is of course enabling one of the other supported (and secure) algorithms on your server. Then updating to 1.53.0 (and removing the DF-GE flag) should be fine.

SchoofsKelvin / vscode-sshfs

Suddenly can't connect (VSC or SSHFS upgrade?) #240