ECDSA still not work with 1.5

[yauyauwind]

Hello,

I'm trying to access homeassistant by gacamole with ecdsa private key but not work "due to HA openssh not support RSA anymore" I tried use xshell to connect the homeassistant with ecdsa pk is work, so my ha openssh config should be ok

and I noticed that the Gacamole 1.5 is ECC supported, which mean the ecdsa openssh private key should be work however I still unable to connect to HomeAssistant but this times is better, previous 1.4 version is no connection action with HA, however this times the HA got the connection but said no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] seem the Gacamole 1.5 is accept ecdsa open ssh pk cert. but haven't use this to commuicate with the HA openssh server

Any idea to fix it?

Thank you so much~

[jwetzell]

Still trying to figure this out. All the requirements outlined in their 1.5.0 release notes for this feature are present in this container now.

[yauyauwind]

Hello Jwetzell,

Is this related to the SSH Diffie Hellmann Group setting? Where is the config file location? so that I can try to modify the config file

Thanks~

[jwetzell]

Which config file?

[yauyauwind]

Hello Jwetzell,

I mean the Guacamole only use RSA for SSH handshake how can I check the diffie-hellman-group setting on Guacamole or KeyExchange list on the Guacamole

I use Xshell or Even putty can access to HomeAssistant OpenSSH with ECDSA Private Key so that I confirm the ECDSA Public Key and Private Key is correct The error message from OpenSSH is showing "no matching host key type found. their offer: ssh-rsa ssh-dss" Seem Guacamole only use RSA for SSH handshake and didn't use ECDSA

Thanks~~

[jwetzell]

I don't really know the inner working of Guacamole, you could check out their repos and poke through the source. I haven't had any time to dig into why Guacamole isn't being setup to have that key type supported.

[scottgrobinson]

FYI what worked for me - Remove libssh2 from the dependencies install and replace with a step to manually install the version of libssh2 with ECDSA support.

# Install libssh2 manually (THIS FIXES EDCSA SUPPORT)
ADD https://www.libssh2.org/download/libssh2-1.11.0.tar.gz /tmp
RUN tar -xzvf /tmp/libssh2-1.11.0.tar.gz \
 && cd libssh2-1.11.0 \
 && ./configure \
 && make \
 && make install

[jwetzell]

@scottgrobinson oOo.... If that works I will it include it in. I had tried to source a newer version of libssh2 from repos, totally didn't think to just grab it manually!

[scottgrobinson]

Confirmed working as of about ten minutes ago :)

[jwetzell]

@scottgrobinson tested here and works a treat! If you want to make a PR for this I can merge it or I've got the changes made and I can push it up.

[jwetzell]

I think new libssh2 version should also resolve #4 and #8. A big thorn in this images side (besides the outdated postgres) with such a simple fix!

[scottgrobinson]

Just tring to test the rpi build and will push. Any reason the pi build is on 1.5.2 rather than 1.5.4 like arm64 and amd64?

I'm not in a position to test arm64 but will include the change in there.

[jwetzell]

I have been unable to get any 1.5.x raspberry pi images building after they changed the underlying base images as mentioned in #20.

[jwetzell]

I've never gave it a good proper try, I think the biggest blocker was that the base images updated major OS versions which made the version of postgres no longer available in the default repos. But could probably go and build from source again which I am trying now to see if that works. Not sure why I never explored that option all that much.

[jwetzell]

The 1.5.4-am64/latest and 1.5.4-arm64/arm64 images have been updated to included the latest libssh2 version which should fix this issue. If the problem still exists please reopen the issue.

I will work on getting the raspberry pi image back up to date (got to dig out a raspberry pi).