Open bjovanovic opened 2 years ago
bjovanovic
commented
2 years ago For posterity: It seems Net::SSH::Perl does not support ECDSA at all. It does not even say that, it just dies.
Either way - my solution was simple - since ECDSA is insecure by now, and old ssh does not support ed22519, was to move back to using RSA4096.
sensei-hacker
commented
2 years ago Thanks for letting us know! I bet that information will be useful to someone.
On Wed, Nov 17, 2021, 11:34 bjovanovic @.***> wrote:
For posterity: It seems Net::SSH::Perl does not support ECDSA at all. It does not even say that, it just dies.
Either way - my solution was simple - since ECDSA is insecure by now, and old ssh does not support ed22519, was to move back to using RSA4096.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lkinley/Net-SSH-Perl/issues/16#issuecomment-971803489, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPBIVAA2EQOZRLI4MTI22TUMPRT3ANCNFSM5IFC52WA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
briandfoy
commented
1 year ago I've forked this project at briandfoy/net-ssh-perl, and you can reopen this issue there if you'd like. Otherwise, I'll add it myself at some later time. See #22.
If you include text like transferred from linkley/Net-SSH-Perl#16, GitHub should make a reference between the two issues. You should see such a reference in this issue now.
I don't have a fix for this issue, but can merge someone else's work. Even though this question is obsoleted, we should fix the module to notify the user that they chose something that isn't supported.
Trying to SSH via pub/private key combo to one of my servers. The exact same code works for other servers. "Regular" ssh works like a charm.
Here is the debug output including the two debug lines I added to DHGEX.pm here: my $host_key_blob = $packet->get_str; my $s_host_key = Net::SSH::Perl::Key->new_from_blob($host_key_blob, \$ssh->{datafellows}); use Data::Dumper; print STDERR Dumper($host_key_blob, $ssh->{datafellows}); $ssh->debug("Received host key, type '" . $s_host_key->ssh_name . "'.");
Here is the debug output (I edited the hostnames out): mylocalbox: Reading configuration data /root/.ssh/config mylocalbox: Reading configuration data /etc/ssh_config mylocalbox: Allocated local port 1022. mylocalbox: Connecting to myserver.com, port 19890. mylocalbox: Remote version string: SSH-2.0-OpenSSH_6.2 mylocalbox: Remote protocol version 2.0, remote software version OpenSSH_6.2 mylocalbox: Net::SSH::Perl Version 2.14, protocol version 2.0. mylocalbox: No compat match: OpenSSH_6.2. mylocalbox: Connection established. mylocalbox: Sent key-exchange init (KEXINIT), waiting for response. mylocalbox: Using diffie-hellman-group-exchange-sha256 for key exchange mylocalbox: Host key algorithm: ecdsa-sha2-nistp256 mylocalbox: Algorithms, c->s: aes256-ctr hmac-sha2-512-etm@openssh.com none mylocalbox: Algorithms, s->c: aes256-ctr hmac-sha2-512-etm@openssh.com none mylocalbox: Entering Diffie-Hellman Group Exchange. mylocalbox: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<4096<8192) sent mylocalbox: Sent DH Group Exchange request, waiting for reply. mylocalbox: Received 4096 bit DH Group Exchange reply. mylocalbox: Generating new Diffie-Hellman keys. mylocalbox: Entering Diffie-Hellman key exchange. mylocalbox: Sent DH public key, waiting for reply. $VAR1 = 'ecdsa-sha2-nistp25nistp256A����%��7�8�$�A~������w���Wx�z����3|K@y�v�ā�>Z��j+�a^H����'; $VAR2 = 0; Can't call method "ssh_name" on an undefined value at /usr/lib64/perl5/vendor_perl/Net/SSH/Perl/Kex/DHGEX.pm line 75.
(it's now line 75 as I added the above two lines)
[root@8 auto_cert_renewal]# rpm -qa | grep ssh -i | grep -i perl perl-Net-SSH-Perl-2.14-8.fc32.x86_64 perl-Net-SSH-0.09-31.fc32.noarch [root@8 auto_cert_renewal]#
OpenSSH on the other end is rather old: [root@myserver ~]# rpm -qa | grep openssh openssh-server-6.2p2-8.fc19.x86_64 openssh-6.2p2-8.fc19.x86_64 openssh-clients-6.2p2-8.fc19.x86_64 [root@myserver ~]#
Unfortunately at this point I can not upgrade it (long story).
Any/all suggestions would be appreciated. Thanks!