ssh connect on mac mini fails SSH handshake failed.

[sdetweil]

Describe The Bug:

To Reproduce:

install guac on mac mini docker container (amd64) connect (ok), login (ok), create connection (ok) then use it

Expected behavior:

expect ssh session... works from same quac system to amd64 system..

can ssh directly.. from phone or amd system

Logs:

guacd[1123]: INFO:  Creating new client for protocol "ssh"
01/23/2024
11:14:07 AM
guacd[1123]: INFO:  Connection ID is "$1bb5d0b8-e5d3-48e8-9393-6fb65d479617"
01/23/2024
11:14:07 AM
guacd[1545]: INFO:  User "@bfa82027-22b1-48e9-8018-71b185ae2d8c" joined connection "$1bb5d0b8-e5d3-48e8-9393-6fb65d479617" (1 users now present)
01/23/2024
11:14:07 AM
17:14:07.946 [http-nio-8080-exec-5] INFO  o.a.g.tunnel.TunnelRequestService - User "sam" connected to connection "4".
01/23/2024
11:14:08 AM
guacd[1545]: ERROR: SSH handshake failed.
01/23/2024
11:14:08 AM
guacd[1545]: INFO:  User "@bfa82027-22b1-48e9-8018-71b185ae2d8c" disconnected (0 users remain)

Screenshots:

01/23/2024 11:12:13 AM 17:12:13.369 [http-nio-8080-exec-10] INFO o.a.g.r.auth.AuthenticationService - User "sam" successfully authenticated from [50.24.194.29, 192.168.65.1]. 01/23/2024 11:12:20 AM guacd[1123]: INFO: Creating new client for protocol "ssh" 01/23/2024 11:12:20 AM guacd[1123]: INFO: Connection ID is "$6508023c-9137-46c1-b6ea-619077bed9f8" 01/23/2024 11:12:20 AM guacd[1435]: INFO: User "@1da299e1-fd30-4ef5-b161-b0f56f77d40e" joined connection "$6508023c-9137-46c1-b6ea-619077bed9f8" (1 users now present) 01/23/2024 11:12:20 AM 17:12:20.719 [http-nio-8080-exec-2] INFO o.a.g.tunnel.TunnelRequestService - User "sam" connected to connection "4". 01/23/2024 11:12:21 AM guacd[1435]: ERROR: SSH handshake failed. 01/23/2024 11:12:35 AM guacd[1435]: ERROR: User is not responding. // -------- this is the first time connecting over this interface

Environment:

• Guacamole Version:
• Guacamole proxy daemon (guacd) version 1.5.4 started
• Operating System: macos Sonoma 14.0. arm64, m1

I did see a banner on the lower right,

the network connection to the guacamole server appears to be unsafe this is connecting to the same machine that the docker container is running on .

[jwetzell]

I'm unsure of what the scenario is your description jumps around a lot.

You are using I think the 1.5.4-amd64 image? But running an ARM Mac?

Then creating a connection inside guacamole to SSH into a MacOS host and that is not working but does work if you SSH into the same host from outside of the guacamole instance (like you said via phone or another host)?

[sdetweil]

i have two guac instances... one on AMD64 and one on ARM64 (using the tag for the docker container from my prior issue) I am using cloudflare tunnel to access the quac instance(s) (one tunnel to each network)

the ssh connection to the AMD64 host from the AMD64 container on the same system works fine.. (connection uses the ip address of the docker host system) (ubuntu)

the ssh connection to the ARM64 from the ARM64 container on the same system fails, ssh handshake, (connection uses the ip address of the docker host system) (macos)

[jwetzell]

And you can SSH into both systems not going through guacamole?

[sdetweil]

yes, on the appropriate networks (ethernet for amd64, wifi for macos) .. I also just did from an open terminal window on macos, ssh to the macos using the same username.. got the normal 1st time fingerprint prompt, yes, password prompt.. in ok, then exit,and ssh back in again, no 1st time prompt...

didn't affect guac login failure

when phone is on appropriate network, ssh app works to network specific target. I know there was a similar problem a while back..

[jwetzell]

Hmm, I don't have a ARM based mac to test this setup on unfortunately. It could be an issue with supported algorithms (there are previous issues about this as you said) but using the latest version of libssh that we are should have gotten rid of that unless there is something missing there.

[sdetweil]

im a software guy, is there some debugging/testing I can provide? use libssh to connect from somewhere? (I don't have another arm mac)

I can make a docker container to do that too

[jwetzell]

You could test that the docker container can reach the problematic host (exec into the guacamole container). You could also try setting up Apache Guacamole using the official images or from source to see if they setup works any differently. Unfortunately I don't have much experience in the realm of troubleshooting or debugging Apache Guacamole setups.

[sdetweil]

I had to rebuild the container to add ping and the ssh client.. both of those were successful..

so it sounds like a libssh2 problem...

[jwetzell]

Not sure that would narrow it down to libssh2 in my mind I guess you could scour the libssh2 repo for any issues related to SSH and MacOS 14.0.

[sdetweil]

I just opened this issue in libssh2 https://github.com/libssh2/libssh2/issues/1313

there was a problem early last year, but this version of the libs should work, UNLESS there is a code change required in guacamole.. but didn't see one in their repo either

[jwetzell]

Ok, I think the Apache repos for guacamole would be a better place to raise an issue as they are likely going to know whether this is something that is or isn't supported by the latest (1.5.4) version of guacamole.

[sdetweil]

opened https://issues.apache.org/jira/browse/GUACAMOLE-1914

[jwetzell]

Looks like they suggested what I did earlier try using the official images which would help narrow down where the problem lies. Referencing this repo in another projects issues is definitely not going to get you much of any response. They aren't going to chase down issues unless they can be shown it is an actual problem with their project.