Key exchange error with connect.vi in VIPM version 1.2.4.32 with NI RT Linux 2024

[temin4u]

Error -8111 occurred at Field_RnD_Services_LIBSSH2_Toolkit.lvlib:Session.lvclass:Connect.vi

Possible reason(s):

[Key Exchange Failure Error]

If the client is executed from windows target there is no issues. Only from RT Linux target the error occurs.

[Ashwin-Saravanan-lennox]

new IPK file with lv2024Q1.zip I had tried with new IPK binaries still this issue exists

[temin4u]

Please find below the debug log in which SSH Client(Linux native) from the PXI running latest RT Linux image with openssh v ersion 8.9 is able to communicate with our device of interest running openssh version 8.2, does the libssh2 lib have any dependency with the native openssh for accessing KEX algorithms?

I tried changing the /etc/ssh/ssh_config to use a different protocol suite, but still our libssh2lv lib is throwing key exchange error with the connect API even after installing the latest SO built by my colleague in the above post, I'm assuming that libssh2 does not have any dependency with native linux openssh 8.9, can you share your inputs on the same please.

admin@ATE-RES-005:~# ssh root@10.1.165.22 -v OpenSSH_8.9p1, OpenSSL 3.0.12 24 Oct 2023 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to 10.1.165.22 [10.1.165.22] port 22. debug1: Connection established. debug1: identity file /home/admin/.ssh/identity type -1 debug1: identity file /home/admin/.ssh/identity-cert type -1 debug1: identity file /home/admin/.ssh/id_rsa type -1 debug1: identity file /home/admin/.ssh/id_rsa-cert type -1 debug1: identity file /home/admin/.ssh/id_dsa type -1 debug1: identity file /home/admin/.ssh/id_dsa-cert type -1 debug1: identity file /home/admin/.ssh/id_ecdsa type -1 debug1: identity file /home/admin/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/admin/.ssh/id_ed25519 type -1 debug1: identity file /home/admin/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.9 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2 debug1: compat_banner: match: OpenSSH_8.2 pat OpenSSH compat 0x04000000 debug1: Authenticating to 10.1.165.22:22 as 'root' debug1: load_hostkeys: fopen /home/admin/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:NcovJB+q25Ij1ywxjRZzaAv3fe05Cvl9IT6EzwHBMJA debug1: load_hostkeys: fopen /home/admin/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '10.1.165.22' is known and matches the ED25519 host key. debug1: Found key in /home/admin/.ssh/known_hosts:1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/admin/.ssh/identity debug1: Will attempt key: /home/admin/.ssh/id_rsa debug1: Will attempt key: /home/admin/.ssh/id_dsa debug1: Will attempt key: /home/admin/.ssh/id_ecdsa debug1: Will attempt key: /home/admin/.ssh/id_ed25519 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512, ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/admin/.ssh/identity debug1: Trying private key: /home/admin/.ssh/id_rsa debug1: Trying private key: /home/admin/.ssh/id_dsa debug1: Trying private key: /home/admin/.ssh/id_ecdsa debug1: Trying private key: /home/admin/.ssh/id_ed25519 debug1: Next authentication method: password root@10.1.165.22's password: Authenticated to 10.1.165.22 ([10.1.165.22]:22) using "password". debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: exec debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: client_input_hostkeys: searching /home/admin/.ssh/known_hosts for 10.1.165.22 / (none) debug1: client_input_hostkeys: searching /home/admin/.ssh/known_hosts2 for 10.1.165.22 / (none) debug1: client_input_hostkeys: hostkeys file /home/admin/.ssh/known_hosts2 does not exist debug1: X11 forwarding requested but DISPLAY not set debug1: client_global_hostkeys_private_confirm: server used untrusted RSA signature algorithm ssh-rsa for key 0, disre garding debug1: update_known_hosts: known hosts file /home/admin/.ssh/known_hosts2 does not exist

[volks73]

My guess is that it is different versions of OpenSSL. The libssh2lv C library that must be built and installed on the NI Linux RT target uses OpenSSL v3.0.1 and LibSSH2 v1.10.0. A newer version of OpenSSL is probably needed.

When building libssh2lv from source, the build will automatically download the OpenSSL v3.0.1 and LIBSSH2 v1.10.0 code and build these dependencies.

https://github.com/fieldrndservices/libssh2lv/blob/37e70513fa7aecf670eb15511726b10b534da1c4/CMakeLists.txt#L24

and

https://github.com/fieldrndservices/libssh2lv/blob/37e70513fa7aecf670eb15511726b10b534da1c4/CMakeLists.txt#L60

I do not have access to a LabVIEW 2023 or newer NI Linux RT machine or environment, so I have no idea the version of OpenSSL installed/shipped with newer versions of LabVIEW.

There can be incompatibilities between LIBSSH2 and OpenSSL versions, so the libssh2lv build downloads and uses its own versions that are known to work together. You can try a couple of options:

1. Disable building dependencies for libssh2lv and use the system libraries.

   mkdir build && cd build
   cmake -DBUILD_DEPS=OFF ..
   cmake --build .

   If you have built the libssh2 library from source and separately on a NI Linux RT machine. If the NI Linux RT machine has access to the Internet, then another option might be easier.

2. Bump the versions of LIBSSH2 and OpenSSL in the CMakeLists.txt file. This must be completed on a NI Linux RT machine with Internet access. The following steps assume you have logged into the NI Linux RT machine via SSH and have a terminal available.

   1. Clone the libssh2lv project:

      git clone https://github.com/fieldrndservices/libssh2lv && cd libssh2lv

   2. Create a branch.

      git checkout -b feature-bump-deps

   3. Open the CMakeLists.txt file in a text editor, like nano or vim, and modify Line 65 to be:

      GIT_TAG openssl-3.2.1

      and Line 83 to be:

      GIT_TAG libssh2-1.11.0

   4. Save changes and run build. Note, we do want to use the dependencies and defaults now.

      mkdir build && cd build
      cmake ..
      cmake --build .

For both options, you may want to build and run the tests for the libssh2lv project. This will at least ensure the libssh2lv build was successful and eliminate a build error ultimately causing the issue.

The LabVIEW toolkit needs the libssh2lv, which is dependent on libssh2, which is dependent on OpenSSL. Any key exchange and cypher-related stuff is handed off to the OpenSSL shared library down this dependency chain. If a key or algorithm is not working/supported/allowed, it is usually because the OpenSSL library does not support it.

[Ashwin-Saravanan-lennox]

I'm facing this issue build error log.txt Can't locate FindBin.pm in @INC (you may need to install the FindBin module) (@INC contains: /usr/lib/perl5/site_perl/5.34.1/x86_64-linux /usr/lib/perl5/site_perl/5.34.1 /usr/lib/perl5/vendor_perl/5.34.1/x86_64-linux /usr/lib/perl5/vendor_perl/5.34.1 /usr/lib/perl5/5.34.1/x86_64-linux /usr/lib/perl5/5.34.1) at /home/root/libssh2lv/.deps/openssl/src/openssl/Configure line 15. BEGIN failed--compilation aborted at /home/root/libssh2lv/.deps/openssl/src/openssl/Configure line 15. make[2]: [CMakeFiles/openssl.dir/build.make:92: ../.deps/openssl/src/openssl-stamp/openssl-configure] Error 2 make[1]: [CMakeFiles/Makefile2:102: CMakeFiles/openssl.dir/all] Error 2 make: *** [Makefile:91: all] Error 2

Could you please provide cmake rule to build .ipk file as well NI RT Linux

[Ashwin-Saravanan-lennox]

After installing all the Perl dependencies , facing this issue admin@ATE-RES-005:~/libssh2lv/build# cmake --build . [ 3%] Performing build step for 'openssl' /usr/lib/gcc/x86_64-nilrt-linux/11.4.0/../../../../x86_64-nilrt-linux/bin/ld:providers/legacy.ld:0: syntax error in VERSION script collect2: error: ld returned 1 exit status make[4]: [Makefile:13371: providers/legacy.so] Error 1 make[3]: [Makefile:2297: build_sw] Error 2 make[2]: [CMakeFiles/openssl.dir/build.make:86: ../.deps/openssl/src/openssl-stamp/openssl-build] Error 2 make[1]: [CMakeFiles/Makefile2:102: CMakeFiles/openssl.dir/all] Error 2 make: *** [Makefile:91: all] Error 2

[Ashwin-Saravanan-lennox]

is it possible to connect through a teams call, please let me know your convenient timing. @volks73

[temin4u]

https://github.com/openssl/openssl/issues/11281 Does the CPUID and buildinfo file need edits to resolve this issue?

[Ashwin-Saravanan-lennox]

How to over come this issue with libcrypto.a gcc -Iinclude -Iproviders/implementations/include -Iproviders/common/include -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -MMD -MF providers/legacy-dso-legacyprov.d.tmp -MT providers/legacy-dso-legacyprov.o -c -o providers/legacy-dso-legacyprov.o providers/legacyprov.c /usr/bin/perl ./util/mkdef.pl --type dso --ordinals util/providers.num --name providers/legacy --OS linux > providers/legacy.ld gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -L. -Wl,-z,defs -Wl,-znodelete -shared -Wl,-Bsymbolic \ -o providers/legacy.so -Wl,--version-script=providers/legacy.ld \ providers/legacy-dso-legacyprov.o \ providers/liblegacy.a providers/libcommon.a -lcrypto -ldl -pthread /usr/lib/gcc/x86_64-nilrt-linux/11.4.0/../../../../x86_64-nilrt-linux/bin/ld: ./libcrypto.a(libcommon-lib-ciphercommon_gcm.o): in function ossl_gcm_get_ctx_params': ciphercommon_gcm.c:(.text+0x151): undefined reference toossl_param_find_pidx' /usr/lib/gcc/x86_64-nilrt-linux/11.4.0/../../../../x86_64-nilrt-linux/bin/ld: ./libcrypto.a(libcommon-lib-ciphercommon_gcm.o): in function ossl_gcm_set_ctx_params': ciphercommon_gcm.c:(.text+0x491): undefined reference toossl_param_find_pidx' collect2: error: ld returned 1 exit status make[4]: [Makefile:13476: providers/legacy.so] Error 1 make[4]: Leaving directory '/home/admin/libssh2lv/.deps/openssl/src/openssl' make[3]: [Makefile:2322: build_sw] Error 2 make[3]: Leaving directory '/home/admin/libssh2lv/.deps/openssl/src/openssl' make[2]: [CMakeFiles/openssl.dir/build.make:86: ../.deps/openssl/src/openssl-stamp/openssl-build] Error 2 make[2]: Leaving directory '/home/admin/libssh2lv/build' make[1]: [CMakeFiles/Makefile2:102: CMakeFiles/openssl.dir/all] Error 2 make[1]: Leaving directory '/home/admin/libssh2lv/build' make: *** [Makefile:91: all] Error 2 admin@ATE-RES-001:~/libssh2lv/build#