kex: host key algorithm: (no match) [preauth]

[MikeSchroll]

I have sga-guard setup and running:

Connecting to jumphost to set up forwarding...
Forwarding to jumphost setup successfully. Waiting for incoming requests...
Request by jumphost to run '' on user@final-destination-host:my-nonstandard-port AUTO-APPROVED by policy

I can mosh to jumphost just fine.

Once on jumphost, I can ssh to servers just fine.

If I try to sga-ssh to a server, I get this:

sga-ssh final-destination-host -p my-nonstandard-port
failed to connect to final-destination-host:my-nonstandard-port: ssh: handshake failed: EOF

Debug output shows:

2017/12/23 09:12:05 handshake.go:355: kex loop
2017/12/23 09:12:05 handshake.go:360: kex inner loop
2017/12/23 09:12:05 handshake.go:370: select exit: <-requestKex
2017/12/23 09:12:05 handshake.go:393: !sent: sending kexInit
2017/12/23 09:12:05 handshake.go:360: kex inner loop
2017/12/23 09:12:05 handshake.go:368: select exit: <-t.startKex
2017/12/23 09:12:05 handshake.go:416: entering keyexchange
2017/12/23 09:12:05 common.go:139: host key algorithms: server: [none], client: [none]
2017/12/23 09:12:05 delegated_client.go:582: KexCallback called
2017/12/23 09:12:05 handshake.go:355: kex loop
2017/12/23 09:12:05 handshake.go:360: kex inner loop
2017/12/23 09:12:05 delegated_client.go:539: Finished copying transport data to agent
2017/12/23 09:12:05 delegated_client.go:554: Finished copying transport data from agent
2017/12/23 09:12:05 delegated_client.go:492: Finished copying ssh data from agent: %!s(<nil>)
2017/12/23 09:12:05 delegated_client.go:476: Error copying outgoing SSH data: io: read/write on closed pipe
2017/12/23 09:12:05 handshake.go:365: select exit: <-t.startKex NOT OK
2017/12/23 09:12:05 sga-ssh.go:146: sga-ssh: Failed to run  on my-final-destination-host: failed to connect to final-destination-host:my-nonstandard-port: ssh: handshake failed: EOF
failed to connect to final-destination-host:my-nonstandard-port: ssh: handshake failed: EOF

And debug server-side on final-destination-host shows:

Dec 23 06:16:03 final-destination-shorthost sshd[23528]: Connection from jumphost-ip port 53272 on final-destination-host-ip port my-nonstandard-port
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: Client protocol version 2.0; client software version Go
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: no match: Go
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: Enabling compatibility mode for protocol 2.0
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: Local version string SSH-2.0-OpenSSH_7.2p2
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: permanently_set_uid: 110/65534 [preauth]
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: SSH2_MSG_KEXINIT received [preauth]
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth]
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: kex: host key algorithm: (no match) [preauth]
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: fatal: Unable to negotiate with jumphost port 53272: no matching host key type found. Their offer:  [preauth]
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: do_cleanup [preauth]
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: monitor_read_log: child log fd closed
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: do_cleanup
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: Killing privsep child 23529
Dec 23 06:16:03 final-destination-shorthost sshd[23528]: debug1: audit_event: unhandled event 12

I tried removing my entry from .ssh/known_hosts on jumphost. No change. I should note that my SSH key is ed25519 I just changed to an RSA key. No change.

[dimakogan]

Thanks for reporting this. Could you please share the debug information of sga-guard (which runs locally) as well (by running it with --debug and --log=<LOG-FILE> similarly to sga-ssh)?

[MikeSchroll]

Thanks @dimakogan. Here's what sga-guard shows between a fresh startup and on the jumphost running sga-ssh final-destination-host --debug -p my-nonstandard-port

sga-guard jumphost --debug
Connecting to jumphost to set up forwarding...
2017/12/23 14:46:33 sshfwd.go:90: Listening on: /var/folders/fx/3clzcw097w3bx7j08b1z_msm0000gn/T/618344141/.guard.22946
Forwarding to jumphost setup successfully. Waiting for incoming requests...
2017/12/23 14:47:20 agent.go:93: New incoming connection
Request by jumphost to run '' on user@final-destination-host:my-nonstandard-port AUTO-APPROVED by policy
2017/12/23 14:47:21 proxy.go:42: Read version: "SSH-2.0-OpenSSH_7.2p2" from server
2017/12/23 14:47:21 proxy.go:50: Read version: "SSH-2.0-Go" from client
2017/12/23 14:47:21 handshake.go:355: kex loop
2017/12/23 14:47:21 handshake.go:360: kex inner loop
2017/12/23 14:47:21 handshake.go:355: kex loop
2017/12/23 14:47:21 handshake.go:370: select exit: <-requestKex
2017/12/23 14:47:21 handshake.go:393: !sent: sending kexInit
2017/12/23 14:47:21 handshake.go:360: kex inner loop
2017/12/23 14:47:21 handshake.go:370: select exit: <-requestKex
2017/12/23 14:47:21 handshake.go:393: !sent: sending kexInit
2017/12/23 14:47:21 handshake.go:360: kex inner loop
2017/12/23 14:47:21 handshake.go:360: kex inner loop
2017/12/23 14:47:21 handshake.go:368: select exit: <-t.startKex
2017/12/23 14:47:21 handshake.go:416: entering keyexchange
2017/12/23 14:47:21 common.go:139: host key algorithms: server: [none], client: [none]
2017/12/23 14:47:21 handshake.go:355: kex loop
2017/12/23 14:47:21 handshake.go:360: kex inner loop
2017/12/23 14:47:21 handshake.go:368: select exit: <-t.startKex
2017/12/23 14:47:21 handshake.go:416: entering keyexchange
2017/12/23 14:47:21 common.go:139: host key algorithms: server: [ssh-rsa rsa-sha2-512 rsa-sha2-256 ecdsa-sha2-nistp256 ssh-ed25519], client: []
2017/12/23 14:47:21 handshake.go:365: select exit: <-t.startKex NOT OK
2017/12/23 14:47:21 sshfwd.go:167: Finished copying from client to real agent.

[dimakogan]

I suspect there might be some error parsing the known_hosts file on your local machine. I've created a small fix to check my guess. May I ask you to run the patched version either by building from HEAD or by using the prebuilt executables below. Most chances that you only need to update the local sga-guard.

sga_darwin_amd64.tar.gz sga_linux_amd64.tar.gz

[MikeSchroll]

No change in behavior or output from the new binary -- but I did rename my known_hosts file; and you were correct -- everything works now!

I share my .ssh config across machines via dropbox, and it appears one of them is doing hostname hashing, and one is not; and there were some blank lines in the file; so I'll figure out what is corrupting my file, and get my configs sync'd there.

Thanks for your help!

[dimakogan]

I'm glad it helped. If you happen to narrow down the problem with your known_hosts file to a particular line, it could be great if you could share the offending line (so I could make our code more robust).

[MikeSchroll]

Closing for now. I'll re-open if there's more info.