clintoncwolfe
commented
3 years ago Verified on source install with inspec 4.37.23, train 3.7.2, net-ssh 5.2.0 (hrm, latest is 6.1.0), ed25519 v1.2.4
Closed clintoncwolfe closed 3 years ago
clintoncwolfe
commented
3 years ago Verified on source install with inspec 4.37.23, train 3.7.2, net-ssh 5.2.0 (hrm, latest is 6.1.0), ed25519 v1.2.4
clintoncwolfe
commented
3 years ago After forcing net-ssh upgrade to 6.1.0 and running with --log-level debug, the error message helpfully improved:
Transport error, can't connect to 'ssh' backend: SSH command failed (could not settle on kex algorithm
Server kex preferences: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Client kex preferences: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1)Notably, the ed25519 KEX algorithms were missing from the client side. Those are loaded by a special gem, which I thought was the ed25519 gem, but reading the README it turns out that it only provides the key algorithms, not the KEX algos - those are provided by the x25519 gem, which we were not loading. After adding that to the Gemfile, inspec was able to connect.
clintoncwolfe
commented
3 years ago This was added in the omnibus build of inspec, via the Gemfile. closing here.
When SSHD is configured with a restricted set of key exchange algorithms, inspec/train fails to connect, with error:
The server is configured with KEX:
Seen on RHEL8, thought to be from an omnibus install, unknown inspec version.