Handshake failed: signature verification failed

belleudya commented 2 years ago

Hi

I try to connect to a distant server. I had to configure kex, cipher and serverHostkey because distant host only accept "diffie-hellman-group1-sha1" key exchange algorithm and I can't change it. I tried with the "sshfs.flags": ["DF-GE"] option but it seems it doesn't take the key exchange in account an I have another error : "Handshake failed: no matching key exchange algorithm"

Is there to fix that?

Thanks

log without "sshfs.flags": ["DF-GE"] (with the option above)

[INFO]    Command received to open a terminal for FileSystemConfig(myserver)
[DEBUG]     Final configuration:
{
    "name": "myserver",
    "host": "myserver",
    "username": "usr",
    "debug": true,
    "algorithms": {
        "kex": [
            "diffie-hellman-group1-sha1"
        ],
        "cipher": [
            "aes128-cbc"
        ],
        "serverHostKey": [
            "ssh-dss"
        ]
    },
    "_location": 1,
    "_locations": [
        1
    ],
    "_calculated": {
        "name": "myserver",
        "host": "myserver",
        "username": "usr",
        "debug": true,
        "algorithms": {
            "kex": [
                "diffie-hellman-group1-sha1"
            ],
            "cipher": [
                "aes128-cbc"
            ],
            "serverHostKey": [
                "ssh-dss"
            ]
        },
        "_location": 1,
        "_locations": [
            1
        ]
    },
    "port": 22,
    "password": "<censored>"
}
[INFO]    [createSocket(myserver)] Creating socket
[DEBUG]   [createSocket(myserver)] Connecting to myserver:22
[DEBUG]   [ssh2(myserver)] DEBUG: Local ident: 'SSH-2.0-ssh2js0.4.10'
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_INIT
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_GREETING
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_HEADER
[DEBUG]   [ssh2(myserver)] DEBUG: Remote ident: 'SSH-2.0-OpenSSH_3.7'
[DEBUG]   [ssh2(myserver)] DEBUG: Outgoing: Writing KEXINIT
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_PACKETBEFORE (expecting 8)
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_PACKET
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: pktLen:444,padLen:8,remainLen:440
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_PACKETDATA
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_PACKETDATAAFTER, packet: KEXINIT
[DEBUG]   [ssh2(myserver)] DEBUG: Comparing KEXINITs ...
[DEBUG]   [ssh2(myserver)] DEBUG: (local) KEX algorithms: diffie-hellman-group1-sha1
[DEBUG]   [ssh2(myserver)] DEBUG: (remote) KEX algorithms: diffie-hellman-group1-sha1
[DEBUG]   [ssh2(myserver)] DEBUG: KEX algorithm: diffie-hellman-group1-sha1
[DEBUG]   [ssh2(myserver)] DEBUG: (local) Host key formats: ssh-dss
[DEBUG]   [ssh2(myserver)] DEBUG: (remote) Host key formats: ssh-dss
[DEBUG]   [ssh2(myserver)] DEBUG: Host key format: ssh-dss
[DEBUG]   [ssh2(myserver)] DEBUG: (local) Client->Server ciphers: aes128-cbc
[DEBUG]   [ssh2(myserver)] DEBUG: (remote) Client->Server ciphers: blowfish-cbc,aes192-cbc,aes128-cbc,cast128-cbc,twofish-cbc,3des-cbc,aes256-cbc,twofish128-cbc,twofish256-cbc,twofish192-cbc
[DEBUG]   [ssh2(myserver)] DEBUG: Client->Server Cipher: aes128-cbc
[DEBUG]   [ssh2(myserver)] DEBUG: (local) Server->Client ciphers: aes128-cbc
[DEBUG]   [ssh2(myserver)] DEBUG: (remote) Server->Client ciphers: blowfish-cbc,aes192-cbc,aes128-cbc,cast128-cbc,twofish-cbc,3des-cbc,aes256-cbc,twofish128-cbc,twofish256-cbc,twofish192-cbc
[DEBUG]   [ssh2(myserver)] DEBUG: Server->Client Cipher: aes128-cbc
[DEBUG]   [ssh2(myserver)] DEBUG: (local) Client->Server HMAC algorithms: hmac-sha2-256,hmac-sha2-512,hmac-sha1
[DEBUG]   [ssh2(myserver)] DEBUG: (remote) Client->Server HMAC algorithms: hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96
[DEBUG]   [ssh2(myserver)] DEBUG: Client->Server HMAC algorithm: hmac-sha1
[DEBUG]   [ssh2(myserver)] DEBUG: (local) Server->Client HMAC algorithms: hmac-sha2-256,hmac-sha2-512,hmac-sha1
[DEBUG]   [ssh2(myserver)] DEBUG: (remote) Server->Client HMAC algorithms: hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96
[DEBUG]   [ssh2(myserver)] DEBUG: Server->Client HMAC algorithm: hmac-sha1
[DEBUG]   [ssh2(myserver)] DEBUG: (local) Client->Server compression algorithms: none,zlib@openssh.com,zlib
[DEBUG]   [ssh2(myserver)] DEBUG: (remote) Client->Server compression algorithms: none
[DEBUG]   [ssh2(myserver)] DEBUG: Client->Server compression algorithm: none
[DEBUG]   [ssh2(myserver)] DEBUG: (local) Server->Client compression algorithms: none,zlib@openssh.com,zlib
[DEBUG]   [ssh2(myserver)] DEBUG: (remote) Server->Client compression algorithms: none
[DEBUG]   [ssh2(myserver)] DEBUG: Server->Client compression algorithm: none
[DEBUG]   [ssh2(myserver)] DEBUG: Outgoing: Writing KEXDH_INIT
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_PACKETBEFORE (expecting 8)
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_PACKET
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: pktLen:644,padLen:11,remainLen:640
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_PACKETDATA
[DEBUG]   [ssh2(myserver)] DEBUG: Parser: IN_PACKETDATAAFTER, packet: KEXDH_REPLY
[DEBUG]   [ssh2(myserver)] DEBUG: Checking host key format
[DEBUG]   [ssh2(myserver)] DEBUG: Checking signature format
[DEBUG]   [ssh2(myserver)] DEBUG: Verifying host fingerprint
[DEBUG]   [ssh2(myserver)] DEBUG: Host accepted by default (no verification)
[DEBUG]   [ssh2(myserver)] DEBUG: Verifying signature
[DEBUG]   [ssh2(myserver)] DEBUG: Signature verification failed
[DEBUG]   [ssh2(myserver)] DEBUG: Outgoing: Writing DISCONNECT (KEY_EXCHANGE_FAILED)
[ERROR]   [createSSH(myserver)] Handshake failed: signature verification failed
Logged at:
    at T.<anonymous> (c:\Users\agent\.vscode\extensions\kelvin.vscode-sshfs-1.21.2\dist\262.extension.js:1:245832)
    at T.emit (events.js:223:5)
    at fe.<anonymous> (c:\Users\agent\.vscode\extensions\kelvin.vscode-sshfs-1.21.2\dist\262.extension.js:1:208246)
    at fe.emit (events.js:228:7)
    at he (c:\Users\agent\.vscode\extensions\kelvin.vscode-sshfs-1.21.2\dist\262.extension.js:1:126318)
Reported from createSSH(myserver)

log with "sshfs.flags": ["DF-GE"]

[INFO]    Command received to open a terminal for FileSystemConfig(server)
[INFO]    [createConnection(server,config)] Creating a new connection for 'server'
[INFO]    Calculating actual config
[DEBUG]     No privateKey, agent or password. Gonna prompt for password
[DEBUG]     Final configuration:
{
    "name": "server",
    "host": "server",
    "username": "usr",
    "debug": true,
    "algorithms": {
        "kex": [
            "diffie-hellman-group1-sha1"
        ],
        "cipher": [
            "aes128-cbc"
        ],
        "serverHostKey": [
            "ssh-dss"
        ]
    },
    "_location": 1,
    "_locations": [
        1
    ],
    "_calculated": {
        "name": "server",
        "host": "server",
        "username": "usr",
        "debug": true,
        "algorithms": {
            "kex": [
                "diffie-hellman-group1-sha1"
            ],
            "cipher": [
                "aes128-cbc"
            ],
            "serverHostKey": [
                "ssh-dss"
            ]
        },
        "_location": 1,
        "_locations": [
            1
        ]
    },
    "port": 22,
    "password": "<censored>"
}
[INFO]    [createSocket(server)] Creating socket
[DEBUG]   [createSocket(server)] Connecting to server:22
[INFO]    [createSSH(server)] Flag "DF-GE" enabled due to 'Global Settings', disabling DiffieHellman kex groupex algorithms
[DEBUG]   [createSSH(server)]   Resulting algorithms.kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1
[DEBUG]   [ssh2(server)] DEBUG: Local ident: 'SSH-2.0-ssh2js0.4.10'
[DEBUG]   [ssh2(server)] DEBUG: Parser: IN_INIT
[DEBUG]   [ssh2(server)] DEBUG: Parser: IN_GREETING
[DEBUG]   [ssh2(server)] DEBUG: Parser: IN_HEADER
[DEBUG]   [ssh2(server)] DEBUG: Remote ident: 'SSH-2.0-OpenSSH_3.7'
[DEBUG]   [ssh2(server)] DEBUG: Outgoing: Writing KEXINIT
[DEBUG]   [ssh2(server)] DEBUG: Parser: IN_PACKETBEFORE (expecting 8)
[DEBUG]   [ssh2(server)] DEBUG: Parser: IN_PACKET
[DEBUG]   [ssh2(server)] DEBUG: Parser: pktLen:444,padLen:8,remainLen:440
[DEBUG]   [ssh2(server)] DEBUG: Parser: IN_PACKETDATA
[DEBUG]   [ssh2(server)] DEBUG: Parser: IN_PACKETDATAAFTER, packet: KEXINIT
[DEBUG]   [ssh2(server)] DEBUG: Comparing KEXINITs ...
[DEBUG]   [ssh2(server)] DEBUG: (local) KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1
[DEBUG]   [ssh2(server)] DEBUG: (remote) KEX algorithms: diffie-hellman-group1-sha1
[DEBUG]   [ssh2(server)] DEBUG: No matching key exchange algorithm
[ERROR]   [createSSH(server)] Handshake failed: no matching key exchange algorithm
Logged at:
    at T.<anonymous> (c:\Users\agent\.vscode\extensions\kelvin.vscode-sshfs-1.21.2\dist\262.extension.js:1:245832)
    at T.emit (events.js:223:5)
    at fe.<anonymous> (c:\Users\agent\.vscode\extensions\kelvin.vscode-sshfs-1.21.2\dist\262.extension.js:1:208246)
    at fe.emit (events.js:228:7)
    at c:\Users\agent\.vscode\extensions\kelvin.vscode-sshfs-1.21.2\dist\262.extension.js:1:116091
Reported from createSSH(server)
[DEBUG]   [ssh2(server)] DEBUG: Outgoing: Writing DISCONNECT (KEY_EXCHANGE_FAILED)

SchoofsKelvin commented 2 years ago

Your first log reports it's using diffie-hellman-group1-sha1, which doesn't happen in the 2nd log since that outdated algorithm isn't enabled by default. Looking at when and where (in the code) the error happens for your 1st log (which gets past the initial key exchange algorithm part), it seems like ssh-dss is the culprit. I suggest trying out different algorithms and/or upgrading your OpenSSH version (3.7 is quite old).

Unless something is wrong with diffie-hellman-group1-sha1 itself (again, very old OpenSSH version, haven't checked any changelogs or bug reports but maybe there's a flaw in that version), you don't need to make use of the DF-GE, since it will use all the default kex algorithms without the diffie-hellman-group-exchange ones, overriding the one you specified.

hoangtocdo90 commented 2 years ago

same issue here. Here is my setup

Description:    CentOS release 5.6 (Final)
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
SSHFS v1.24.1 working
SSHFS v1.25.0 not work

In default terminal, I have to add these line into my ssh config to make it work. KexAlgorithms +diffie-hellman-group1-sha1 Maybe we should add some kind of configuration around KexAlgorithms

SchoofsKelvin commented 2 years ago

@hoangtocdo90 This issue would be easier to solve with debug logs, so please follow these steps:

Add DEBUG_SSH2 to the sshfs.flags array in VS Code's User Settings (settings.json) e.g. "sshfs.flags": ["DEBUG_SSH2"]
- See this issue for more information about adding flags
If you already have a connection open, close it completely (or even reload the window)
Go to Output > SSH FS and copy the log from there after replicating your bug
While it should censor passwords/passphrases, I recommend checking it for (other) sensitive data first. _(especially since DEBUG_SSH2 activates some internal logging, which is less likely to be censored)_

As to replicate the KeyAlgorithms directive, you can check this link. The SSH FS configs are stored (as JSON) in your User Settings (or similar) under the sshfs.configs key. You can add the above-linked algorithms.kex to configure which algorithms to use, for example:

"sshfs.configs": [
    {
        "name": "my-server" // also host, username, ...
        "algorithms": {
            "kex": ["diffie-hellman-group1-sha1"]
        }
    }
]

hoangtocdo90 commented 2 years ago

@SchoofsKelvin

"kex": ["diffie-hellman-group1-sha1"]

It's work. Thanks a lot.

SchoofsKelvin / vscode-sshfs

Handshake failed: signature verification failed #289