mscdex
commented
3 years ago Is there another argument in
connect()that I need to include?
No. Out of curiosity, can you try with the current master branch? I'm wondering if the rewrite has helped any.
Closed wcarhart closed 1 year ago
mscdex
commented
3 years ago Is there another argument in
connect()that I need to include?
No. Out of curiosity, can you try with the current master branch? I'm wondering if the rewrite has helped any.
wcarhart
commented
3 years ago @mscdex Yes, pardon my ignorance, but how do I use the latest off master? Tried cloning locally and then using const {Client} = require('./ssh2/lib/client.js'). When using yarn run install I get the error:
Error: Cannot find module 'nan'
Require stack:
- /Users/<me>/personal/snug/ssh2/lib/protocol/crypto/[eval]
at Function.Module._resolveFilename (node:internal/modules/cjs/loader:900:15)
at Function.Module._load (node:internal/modules/cjs/loader:745:27)
at Module.require (node:internal/modules/cjs/loader:972:19)
at require (node:internal/modules/cjs/helpers:88:18)
at [eval]:1:1
at Script.runInThisContext (node:vm:132:18)
at Object.runInThisContext (node:vm:309:38)
at node:internal/process/execution:77:19
at [eval]-wrapper:6:22
at evalScript (node:internal/process/execution:76:60) {
code: 'MODULE_NOT_FOUND',
requireStack: [
'/Users/<me>/personal/snug/ssh2/lib/protocol/crypto/[eval]'
]
}
gyp: Call to 'node -e "require('nan')"' returned exit status 1 while in binding.gyp. while trying to load binding.gyp
gyp ERR! configure error
gyp ERR! stack Error: `gyp` failed with exit code: 1
gyp ERR! stack at ChildProcess.onCpExit (/usr/local/Cellar/node/15.0.1/libexec/lib/node_modules/npm/node_modules/node-gyp/lib/configure.js:351:16)
gyp ERR! stack at ChildProcess.emit (node:events:327:20)
gyp ERR! stack at Process.ChildProcess._handle.onexit (node:internal/child_process:277:12)
gyp ERR! System Darwin 18.2.0
gyp ERR! command "/usr/local/Cellar/node/15.0.1/bin/node" "/usr/local/Cellar/node/15.0.1/libexec/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "--target=v15.0.1" "rebuild"
gyp ERR! cwd /Users/<me>/personal/snug/ssh2/lib/protocol/crypto
gyp ERR! node -v v15.0.1
gyp ERR! node-gyp -v v7.1.2
gyp ERR! not ok
Failed to build optional crypto binding@mscdex Sorry, ignore the previous log, I was confused. I installed the latest off master and am seeing the same behavior.
Custom crypto binding available
Client: Trying localhost on port 22 ...
Local ident: 'SSH-2.0-ssh2js1.0.0-beta.0'
Socket connected
Remote ident: 'SSH-2.0-OpenSSH_7.9'
Outbound: Sending KEXINIT
Inbound: Handshake in progress
Handshake: (local) KEX method: curve25519-sha256@libssh.org,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512
Handshake: (remote) KEX method: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
Handshake: KEX algorithm: curve25519-sha256@libssh.org
Handshake: (local) Host key format: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Handshake: (remote) Host key format: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
Handshake: Host key format: ssh-ed25519
Handshake: (local) C->S cipher: aes128-gcm,aes128-gcm@openssh.com,aes256-gcm,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
Handshake: (remote) C->S cipher: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Handshake: C->S Cipher: aes128-gcm@openssh.com
Handshake: (local) S->C cipher: aes128-gcm,aes128-gcm@openssh.com,aes256-gcm,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
Handshake: (remote) S->C cipher: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Handshake: S->C cipher: aes128-gcm@openssh.com
Handshake: (local) C->S MAC: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: (remote) C->S MAC: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: C->S MAC: <implicit>
Handshake: (local) S->C MAC: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: (remote) S->C MAC: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: S->C MAC: <implicit>
Handshake: (local) C->S compression: none,zlib@openssh.com,zlib
Handshake: (remote) C->S compression: none,zlib@openssh.com
Handshake: C->S compression: none
Handshake: (local) S->C compression: none,zlib@openssh.com,zlib
Handshake: (remote) S->C compression: none,zlib@openssh.com
Handshake: S->C compression: none
Outbound: Sending KEXECDH_INIT
Host accepted by default (no verification)
Host accepted (verified)
Inbound: NEWKEYS
Verifying signature ...
Verified signature
Outbound: Sending NEWKEYS
Handshake completed
Outbound: Sending SERVICE_REQUEST (ssh-userauth)
Inbound: Received SERVICE_ACCEPT (ssh-userauth)
Outbound: Sending USERAUTH_REQUEST (none)
Inbound: Received USERAUTH_FAILURE (publickey,password,keyboard-interactive)
Client: none auth failed
Outbound: Sending USERAUTH_REQUEST (publickey -- check)
Inbound: Received USERAUTH_FAILURE (publickey,password,keyboard-interactive)
Client: publickey auth failed
node:events:304
throw er; // Unhandled 'error' event
^
Error: All configured authentication methods failed
at doNextAuth (.../ssh2/lib/client.js:785:21)
at tryNextAuth (.../ssh2/lib/client.js:852:7)
at USERAUTH_FAILURE (.../ssh2/lib/client.js:356:11)
at 51 (.../ssh2/lib/protocol/handlers.misc.js:333:16)
at Protocol.onPayload (.../ssh2/lib/protocol/Protocol.js:1979:10)
at AESGCMDecipherBinding.decrypt (.../ssh2/lib/protocol/crypto.js:1091:26)
at Protocol.parsePacket [as _parse] (.../ssh2/lib/protocol/Protocol.js:1948:25)
at Protocol.parse (.../ssh2/lib/protocol/Protocol.js:288:16)
at Socket.<anonymous> (.../ssh2/lib/client.js:650:15)
at Socket.emit (node:events:327:20)
Emitted 'error' event on Client instance at:
at Socket.<anonymous> (.../ssh2/lib/client.js:652:14)
at Socket.emit (node:events:327:20)
at addChunk (node:internal/streams/readable:304:12)
at readableAddChunk (node:internal/streams/readable:279:9)
at Socket.Readable.push (node:internal/streams/readable:218:10)
at TCP.onStreamRead (node:internal/stream_base_commons:192:23) {
level: 'client-authentication'
}Are you able to create a new and unused key of the same type that exhibits the same behavior that you could send/post? I can try to duplicate the issue on my end.
wcarhart
commented
3 years ago Yes, I created a new keypair with ssh-keygen and spun up a new droplet on DO and am seeing the exact same behavior.
Here is the new public key.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBdQ5/tnbFzWYxLBGwtKAzYkIV5CkQZjb+EJTNPu6EYXWX0kSofVNcMHGvINwWDtaqqZoQI2AvIU3TYGbuLSzoFHPvQxtxHyAOCPcliRKcUDFJSUFfWdkodLXvbC2UhJ6DsCl/HRqGxaW6q6HocZThGXOy62zZabnkkrFT8oxInPtRfOQAAVnGQVUgxpuFX3WVDB9SI2KTdKCBbUzbU501An+BgPPyy20YkfANm8xYreQ+1330Hpqazsi5I9Pgs3VoLgS8ldPhMug7LY6mByyyqKHR7UHeHA7O2VRQNWd/0XCiS/NLUg9m+gqD05mQDKrBAUSe9u8NbsX7ihGDEVTn will.carhart@wcarhart-mbp15Here is the new private key.
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAwXUOf7Z2xc1mMSwRsLSgM2JCFeQpEGY2/hCUzT7uhGF1l9JEqH1T
XDBxryDcFg7WqqmaECNgLyFN02Bm7i0s6BRz70MbcR8gDgj3JYkSnFAxSUlBX1nZKHS172
wtlISeg7Apfx0ahsWluquh6HGU4Rlzsuts2Wm55JKxU/KMSJz7UXzkAAFZxkFVIMabhV91
lQwfUiNik3SggW1M21OdNQJ/gYDz8sttGJHwDZvMWK3kPtd99B6ams7IuSPT4LN1aC4EvJ
XT4TLoOy2Opgcssqih0e1B3hwOztlUUDVnf9FwokvzS1IPZvoKg9OZkAyqwQFEnvbvDW7F
+4oRgxFU5wAAA9hU0VtjVNFbYwAAAAdzc2gtcnNhAAABAQDBdQ5/tnbFzWYxLBGwtKAzYk
IV5CkQZjb+EJTNPu6EYXWX0kSofVNcMHGvINwWDtaqqZoQI2AvIU3TYGbuLSzoFHPvQxtx
HyAOCPcliRKcUDFJSUFfWdkodLXvbC2UhJ6DsCl/HRqGxaW6q6HocZThGXOy62zZabnkkr
FT8oxInPtRfOQAAVnGQVUgxpuFX3WVDB9SI2KTdKCBbUzbU501An+BgPPyy20YkfANm8xY
reQ+1330Hpqazsi5I9Pgs3VoLgS8ldPhMug7LY6mByyyqKHR7UHeHA7O2VRQNWd/0XCiS/
NLUg9m+gqD05mQDKrBAUSe9u8NbsX7ihGDEVTnAAAAAwEAAQAAAQEAly+06ggd4E26LHmF
RbSTcjS68sLBeMh496rbr18cJibIMKMp9wcia2yMm9GxTifAidVLyorq80oyuRugtUhmzO
SXCghG3Ov3MCC/jP0Hp1NggSaXyT29YUl8maTQJj5SZxX4CBglj+fMsgrJ2I9TS2uJqO0l
vu9KUKB3puRpz6BJqvKfGqkp3ttLrqA53Cx1JOwL8kUtXTGo5WECo36SO4C7v0XGwa2vYi
XAXF98+UBFNn55ZAnPBDEH5PcGSl3CQJ1/KJbITq7JdTsW+8ksgth1r23B+l7AXkyZnqPw
1/MsDtySWfpycr0Jqe5h/QiGIf4E34iuPY0RsPINP4IscQAAAIAFjTVwRLg1T6oC9yvYLF
qS/xKm80pxoeSKdDDWGmU06SDm0VnxziwngEenGWYwH+fsrl5Htt3492iIoASGo42HkXvD
FpqJpopQA5qnLi3yntADqd5rpeL7HmvvzMoL4n/6b7b65hq6fPP37vl+d/X1FrE5X6ARoZ
YaNU67s6KDPgAAAIEA9TGYVQVoJrGqEavdXv6K1sO5zDC0Ej9fMY4w8Tcv9KEcRsglNeSh
fe3oZbJeloXsAmGtMPFfFvEthYCbsh2sZ1I8McbOF2mVwjrI2bMsItUaxcosXw0MuTEkhL
Tuf1Rc7ITQh8rReNSHzJd7i1c8C2BXKRWsAUpTO92D94Lb4G8AAACBAMn7vk0LXI1QvC21
lH9EfGm/liXao0DcmnBUWVff+S8ZAqGCXS/QtkW3/+oLRDOBXj9/v3EfBdDRJs2FGgwSc3
DhjFvfyvXtA7BONv2uHNcXmuHsg+oJ4eQNsbt99XtFfc2OPIy7sZMka5yxIN6JIr1OGZI7
74PmsHBZy5cL5x8JAAAAG3dpbGwuY2FyaGFydEB3Y2FyaGFydC1tYnAxNQECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----Here is the log, but I think it's identical to above.
DEBUG: Local ident: 'SSH-2.0-ssh2js0.4.10'
DEBUG: Client: Trying localhost on port 22 ...
DEBUG: Client: Connected
DEBUG: Parser: IN_INIT
DEBUG: Parser: IN_GREETING
DEBUG: Parser: IN_HEADER
DEBUG: Remote ident: 'SSH-2.0-OpenSSH_7.9'
DEBUG: Outgoing: Writing KEXINIT
DEBUG: Parser: IN_PACKETBEFORE (expecting 8)
DEBUG: Parser: IN_PACKET
DEBUG: Parser: pktLen:1076,padLen:6,remainLen:1072
DEBUG: Parser: IN_PACKETDATA
DEBUG: Parser: IN_PACKETDATAAFTER, packet: KEXINIT
DEBUG: Comparing KEXINITs ...
DEBUG: (local) KEX algorithms: curve25519-sha256@libssh.org,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1
DEBUG: (remote) KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
DEBUG: KEX algorithm: curve25519-sha256@libssh.org
DEBUG: (local) Host key formats: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa
DEBUG: (remote) Host key formats: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
DEBUG: Host key format: ssh-ed25519
DEBUG: (local) Client->Server ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes128-gcm@openssh.com,aes256-gcm,aes256-gcm@openssh.com
DEBUG: (remote) Client->Server ciphers: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
DEBUG: Client->Server Cipher: aes128-ctr
DEBUG: (local) Server->Client ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes128-gcm@openssh.com,aes256-gcm,aes256-gcm@openssh.com
DEBUG: (remote) Server->Client ciphers: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
DEBUG: Server->Client Cipher: aes128-ctr
DEBUG: (local) Client->Server HMAC algorithms: hmac-sha2-256,hmac-sha2-512,hmac-sha1
DEBUG: (remote) Client->Server HMAC algorithms: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
DEBUG: Client->Server HMAC algorithm: hmac-sha2-256
DEBUG: (local) Server->Client HMAC algorithms: hmac-sha2-256,hmac-sha2-512,hmac-sha1
DEBUG: (remote) Server->Client HMAC algorithms: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
DEBUG: Server->Client HMAC algorithm: hmac-sha2-256
DEBUG: (local) Client->Server compression algorithms: none,zlib@openssh.com,zlib
DEBUG: (remote) Client->Server compression algorithms: none,zlib@openssh.com
DEBUG: Client->Server compression algorithm: none
DEBUG: (local) Server->Client compression algorithms: none,zlib@openssh.com,zlib
DEBUG: (remote) Server->Client compression algorithms: none,zlib@openssh.com
DEBUG: Server->Client compression algorithm: none
DEBUG: Outgoing: Writing KEXECDH_INIT
DEBUG: Parser: IN_PACKETBEFORE (expecting 8)
DEBUG: Parser: IN_PACKET
DEBUG: Parser: pktLen:188,padLen:8,remainLen:184
DEBUG: Parser: IN_PACKETDATA
DEBUG: Parser: IN_PACKETDATAAFTER, packet: KEXECDH_REPLY
DEBUG: Checking host key format
DEBUG: Checking signature format
DEBUG: Verifying host fingerprint
DEBUG: Host accepted by default (no verification)
DEBUG: Verifying signature
DEBUG: Outgoing: Writing NEWKEYS
DEBUG: Parser: IN_PACKETBEFORE (expecting 8)
DEBUG: Parser: IN_PACKET
DEBUG: Parser: pktLen:12,padLen:10,remainLen:8
DEBUG: Parser: IN_PACKETDATA
DEBUG: Parser: IN_PACKETDATAAFTER, packet: NEWKEYS
DEBUG: Outgoing: Writing SERVICE_REQUEST (ssh-userauth)
DEBUG: Parser: IN_PACKETBEFORE (expecting 16)
DEBUG: Parser: IN_PACKET
DEBUG: Parser: Decrypting
DEBUG: Parser: pktLen:28,padLen:10,remainLen:16
DEBUG: Parser: IN_PACKETDATA
DEBUG: Parser: Decrypting
DEBUG: Parser: HMAC size:32
DEBUG: Parser: IN_PACKETDATAVERIFY
DEBUG: Parser: Verifying MAC
DEBUG: Parser: IN_PACKETDATAVERIFY (Valid HMAC)
DEBUG: Parser: IN_PACKETDATAAFTER, packet: SERVICE_ACCEPT
DEBUG: Outgoing: Writing USERAUTH_REQUEST (none)
DEBUG: Parser: IN_PACKETBEFORE (expecting 16)
DEBUG: Parser: IN_PACKET
DEBUG: Parser: Decrypting
DEBUG: Parser: pktLen:60,padLen:14,remainLen:48
DEBUG: Parser: IN_PACKETDATA
DEBUG: Parser: Decrypting
DEBUG: Parser: HMAC size:32
DEBUG: Parser: IN_PACKETDATAVERIFY
DEBUG: Parser: Verifying MAC
DEBUG: Parser: IN_PACKETDATAVERIFY (Valid HMAC)
DEBUG: Parser: IN_PACKETDATAAFTER, packet: USERAUTH_FAILURE
DEBUG: Client: none auth failed
DEBUG: Outgoing: Writing USERAUTH_REQUEST (publickey -- check)
DEBUG: Parser: IN_PACKETBEFORE (expecting 16)
DEBUG: Parser: IN_PACKET
DEBUG: Parser: Decrypting
DEBUG: Parser: pktLen:60,padLen:14,remainLen:48
DEBUG: Parser: IN_PACKETDATA
DEBUG: Parser: Decrypting
DEBUG: Parser: HMAC size:32
DEBUG: Parser: IN_PACKETDATAVERIFY
DEBUG: Parser: Verifying MAC
DEBUG: Parser: IN_PACKETDATAVERIFY (Valid HMAC)
DEBUG: Parser: IN_PACKETDATAAFTER, packet: USERAUTH_FAILURE
DEBUG: Client: publickey auth failed
node:events:304
throw er; // Unhandled 'error' event
^
Error: All configured authentication methods failed
at doNextAuth (.../node_modules/ssh2/lib/client.js:413:17)
at tryNextAuth (.../node_modules/ssh2/lib/client.js:484:5)
at SSH2Stream.onUSERAUTH_FAILURE (.../node_modules/ssh2/lib/client.js:597:5)
at SSH2Stream.emit (node:events:327:20)
at parsePacket (.../node_modules/ssh2-streams/lib/ssh.js:3682:10)
at SSH2Stream._transform (.../node_modules/ssh2-streams/lib/ssh.js:701:13)
at SSH2Stream.Transform._write (node:internal/streams/transform:184:23)
at writeOrBuffer (node:internal/streams/writable:382:12)
at SSH2Stream.Writable.write (node:internal/streams/writable:333:10)
at Socket.ondata (node:internal/streams/readable:715:22)
Emitted 'error' event on Client instance at:
at doNextAuth (.../node_modules/ssh2/lib/client.js:415:12)
at tryNextAuth (.../node_modules/ssh2/lib/client.js:484:5)
[... lines matching original stack trace ...]
at Socket.ondata (node:internal/streams/readable:715:22) {
level: 'client-authentication'
}
theophilusx
commented
3 years ago In your package.json file, change the entry for ssh2 in the dependencies list to use a git URL instead of a version number e.g.
"ssh2": "github:mscdex/ssh2"
See the npm man page for details on using git and github urls.
mcmatan
commented
3 years ago I have the same issue, switching to master did not help
mscdex
commented
3 years ago Something I just noticed @wcarhart is that with the OpenSSH client you're connecting to a different server because the server ident is different. With your OpenSSH client connection the server ident is "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1" but with your ssh2 connection the server is reporting "OpenSSH_7.9". Are you sure you're using the right key for the right server with ssh2?
travis5491811
commented
3 years ago Chiming in, I'm also on mac and having the same problem but then realized i was passing the wrong values from my .env after console logging the config just before trying to connect.
eatonphil
commented
3 years ago Getting a similar issue, running latest both master of ssh2 and the latest release:
custom crypto binding not available
Client: Trying datastation.multiprocess.io on port 22 ...
Local ident: 'SSH-2.0-ssh2js1.1.0'
Socket connected
Remote ident: 'SSH-2.0-OpenSSH_8.4'
Outbound: Sending KEXINIT
Inbound: Handshake in progress
Handshake: (local) KEX method: curve25519-sha256@libssh.org,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-s
ha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512
Handshake: (remote) KEX method: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Handshake: KEX algorithm: curve25519-sha256@libssh.org
Handshake: (local) Host key format: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Handshake: (remote) Host key format: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
Handshake: Host key format: ssh-ed25519
Handshake: (local) C->S cipher: aes128-gcm,aes128-gcm@openssh.com,aes256-gcm,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
Handshake: (remote) C->S cipher: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
Handshake: C->S Cipher: aes128-gcm@openssh.com
Handshake: (local) S->C cipher: aes128-gcm,aes128-gcm@openssh.com,aes256-gcm,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
Handshake: (remote) S->C cipher: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
Handshake: S->C cipher: aes128-gcm@openssh.com
Handshake: (local) C->S MAC: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: (remote) C->S MAC: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,u
mac-128@openssh.com,hmac-sha2-512
Handshake: C->S MAC: <implicit>
Handshake: (local) S->C MAC: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: (remote) S->C MAC: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,u
mac-128@openssh.com,hmac-sha2-512
Handshake: S->C MAC: <implicit>
Handshake: (local) C->S compression: none,zlib@openssh.com,zlib
Handshake: (remote) C->S compression: none,zlib@openssh.com
Handshake: C->S compression: none
Handshake: (local) S->C compression: none,zlib@openssh.com,zlib
Handshake: (remote) S->C compression: none,zlib@openssh.com
Handshake: S->C compression: none
Outbound: Sending KEXECDH_INIT
Received DH Reply
Host accepted by default (no verification)
Host accepted (verified)
Inbound: NEWKEYS
Verifying signature ...
Verified signature
Outbound: Sending NEWKEYS
Handshake completed
Outbound: Sending SERVICE_REQUEST (ssh-userauth)
Inbound: Received SERVICE_ACCEPT (ssh-userauth)
Outbound: Sending USERAUTH_REQUEST (none)
Inbound: Received USERAUTH_FAILURE (publickey,gssapi-keyex,gssapi-with-mic)
Client: none auth failed
Outbound: Sending USERAUTH_REQUEST (publickey -- check)
Inbound: Received USERAUTH_FAILURE (publickey,gssapi-keyex,gssapi-with-mic)
Client: publickey auth failed
CLIENT[sftp]: Handled Error: All configured authentication methods failed undefined
Outbound: Sending DISCONNECT (11)
CLIENT[sftp]: Removing listener from ready
CLIENT[sftp]: sftp: Removing end listener
CLIENT[sftp]: sftp: Removing close listener
CLIENT[sftp]: sftp: Removing error listener
Error: sftpConnect: All configured authentication methods failed
at fmtError (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2-sftp-client/src/utils.js:53:18)
at Client.fn (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2-sftp-client/src/utils.js:73:16)
at Client.emit (events.js:327:22)
at doNextAuth (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/client.js:784:14)
at tryNextAuth (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/client.js:972:7)
at USERAUTH_FAILURE (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/client.js:367:11)
at 51 (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/protocol/handlers.misc.js:333:16)
at Protocol.onPayload (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/protocol/Protocol.js:1974:10)
at AESGCMDecipherNative.decrypt (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/protocol/crypto.js:992:26)
at Protocol.parsePacket [as _parse] (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/protocol/Protocol.js:1943:25)
at Protocol.parse (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/protocol/Protocol.js:281:16)
at Socket.<anonymous> (/Users/philipeaton/multiprocess/datastation/node_modules/ssh2/lib/client.js:692:21)
at Socket.emit (events.js:315:20)
at addChunk (internal/streams/readable.js:309:12)
at readableAddChunk (internal/streams/readable.js:284:9)
at Socket.Readable.push (internal/streams/readable.js:223:10) {
code: 'ERR_GENERIC_CLIENT',
custom: true
}When I pass username, privateKey, host, and port as config options.
I'm able to ssh in with the same private key though using ssh:
ssh -vvv -i ~/.ssh/id_rsa fedora@datastation.multiprocess.io -- exit
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/philipeaton/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to datastation.multiprocess.io port 22.
debug1: Connection established.
debug1: identity file /Users/philipeaton/.ssh/id_rsa type 0
debug1: identity file /Users/philipeaton/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug3: fd 5 is O_NONBLOCK
debug1: Authenticating to datastation.multiprocess.io:22 as 'fedora'
debug3: hostkeys_foreach: reading file "/Users/philipeaton/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/philipeaton/.ssh/known_hosts:47
debug3: load_hostkeys: loaded 1 keys from datastation.multiprocess.io
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:xYULx/bHiyIlT5QX+yow8pEpyKgfpmcvBdCtVkK2W6A
debug3: hostkeys_foreach: reading file "/Users/philipeaton/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/philipeaton/.ssh/known_hosts:47
debug3: load_hostkeys: loaded 1 keys from datastation.multiprocess.io
debug3: hostkeys_foreach: reading file "/Users/philipeaton/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/philipeaton/.ssh/known_hosts:47
debug3: load_hostkeys: loaded 1 keys from 3.83.41.154
debug1: Host 'datastation.multiprocess.io' is known and matches the ECDSA host key.
debug1: Found key in /Users/philipeaton/.ssh/known_hosts:47
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/philipeaton/.ssh/id_rsa RSA SHA256:VJ5+aBFgJ+LmFrNu5NAz1gr9i/JZwGAba8bt/0tcgss explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/philipeaton/.ssh/id_rsa RSA SHA256:VJ5+aBFgJ+LmFrNu5NAz1gr9i/JZwGAba8bt/0tcgss explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/philipeaton/.ssh/id_rsa RSA SHA256:VJ5+aBFgJ+LmFrNu5NAz1gr9i/JZwGAba8bt/0tcgss explicit
debug3: sign_and_send_pubkey: RSA SHA256:VJ5+aBFgJ+LmFrNu5NAz1gr9i/JZwGAba8bt/0tcgss
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to datastation.multiprocess.io ([3.83.41.154]:22).
debug2: fd 7 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/fedora/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /home/fedora/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 5 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x20
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug3: Ignored env C8_ROOT
debug3: Ignored env COLORTERM
debug3: Ignored env COMMAND_MODE
debug3: Ignored env EDITOR
debug3: Ignored env HOME
debug3: Ignored env KITTY_WINDOW_ID
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug1: Sending env LC_CTYPE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env LESS
debug3: Ignored env LOGNAME
debug3: Ignored env LSCOLORS
debug3: Ignored env OLDPWD
debug3: Ignored env PAGER
debug3: Ignored env PATH
debug3: Ignored env PONYO_ROOT
debug3: Ignored env PWD
debug3: Ignored env SHELL
debug3: Ignored env SHLVL
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env TERM
debug3: Ignored env TERMINFO
debug3: Ignored env TERM_PROGRAM
debug3: Ignored env TERM_PROGRAM_VERSION
debug3: Ignored env TMPDIR
debug3: Ignored env TMUX
debug3: Ignored env TMUX_PANE
debug3: Ignored env USER
debug3: Ignored env WINDOWID
debug3: Ignored env XPC_FLAGS
debug3: Ignored env XPC_SERVICE_NAME
debug3: Ignored env ZSH
debug3: Ignored env __CFBundleIdentifier
debug3: Ignored env __CF_USER_TEXT_ENCODING
debug3: Ignored env _
debug1: Sending command: exit
debug2: channel 0: request exec confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i0 o1 sock -1 wfd 7 efd 8 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: chan_shutdown_read (i0 o3 sock -1 wfd 6 efd 8 [write])
debug2: channel 0: input open -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/8 sock -1 cc -1)
debug3: send packet: type 1
debug3: fd 1 is not O_NONBLOCK
Transferred: sent 3580, received 3204 bytes, in 0.4 seconds
Bytes per second: sent 9277.0, received 8302.7
debug1: Exit status 0 I see it show up in server logs but I'm not sure what's going wrong/why it's failing to connect using the same user/privatekey
Jul 06 21:20:11 ip-172-31-49-215.ec2.internal sshd[330467]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
Jul 06 21:20:11 ip-172-31-49-215.ec2.internal sshd[330467]: Received disconnect from 64.78.253.73 port 34281:11: [preauth]
Jul 06 21:20:11 ip-172-31-49-215.ec2.internal sshd[330467]: Disconnected from authenticating user fedora 64.78.253.73 port 34281 [preauth]
Jul 06 21:20:13 ip-172-31-49-215.ec2.internal sshd[330469]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
Jul 06 21:20:13 ip-172-31-49-215.ec2.internal sshd[330469]: Received disconnect from 64.78.253.73 port 34374:11: [preauth]
Jul 06 21:20:13 ip-172-31-49-215.ec2.internal sshd[330469]: Disconnected from authenticating user fedora 64.78.253.73 port 34374 [preauth]
Jul 06 21:20:17 ip-172-31-49-215.ec2.internal sshd[330471]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
Jul 06 21:20:17 ip-172-31-49-215.ec2.internal sshd[330471]: Received disconnect from 64.78.253.73 port 57905:11: [preauth]
Jul 06 21:20:17 ip-172-31-49-215.ec2.internal sshd[330471]: Disconnected from authenticating user fedora 64.78.253.73 port 57905 [preauth]I just noticed:
Jul 06 21:20:11 ip-172-31-49-215.ec2.internal sshd[330467]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]And it does look like Fedora did indeed deprecate this key type. But I'm confused because regular ssh still allows me to use this same key but ssh2 (this module) does not?
mscdex
commented
3 years ago @eatonphil ssh2 definitely supports RSA keys. Can you verify the problem using just ssh2 (it seems you're using a downstream library -- ssh2-sftp-client)? Can you paste what your connection config object that you're passing to connect() looks like? Are you sure it's the same key?
I probably should add key hash values to debug output like OpenSSH does to catch these issues more easily.
eatonphil
commented
3 years ago No I believe it's that this library is "labeling" my key as ssh-rsa whereas the open ssh client is "labeling" it as rsa-sha2-512.
Since fedora deprecated ssh-rsa I can't use this library to connect even though I can connect with the openssh client (that labels the same key differently).
Does that make sense?
mscdex
commented
3 years ago It's the same key type, the only difference is the hashing algorithm. OpenSSH uses a custom/non-standard message type to indicate the supported key algorithms for authentication, which I guess we could add support for if OpenSSH is reported in the remote party's identification. That won't help any other server implementations though that happen to disable support for select algorithms.
theophilusx
commented
3 years ago As ssh2-sftp-client is really just a simple wrapper around ssh2, it is unlikely it has any impact in this area, but of course cannot be eliminated and should be considered/verified.
In the ssh2-sftp-client repository, there is a 'validation' directory which contains some very basic scripts which perform simple sftp operations and which only use ssh2. These scripts are there for precisely this reason i.e. to verify an issue can be reproduced using just ssh2 and eliminate ssh2-sftp-client layer as a contributing factor. If the issue does not occur using these scripts, then the issue should probably be reported with the ssh2-sftp-client project.
eatonphil
commented
3 years ago I have the same issue when using the ssh2 library directly.
I guess we could add support for if OpenSSH is reported in the remote party's identification
It sounds like I'm making a feature request then
mscdex
commented
3 years ago It sounds like I'm making a feature request then
As I was working on adding support for this, I discovered that OpenSSH does not filter the list of signature algorithms according to the server's configured PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms so it just sends everything OpenSSH supports in general, which kind of defeats the whole purpose of sending such a list.
The RFCs mention that if the server doesn't send a signature algorithm list or doesn't support the extension negotiation mechanism at all, to possibly use trial and error, however as the RFC also notes, some server implementations can penalize you for such things.
So unfortunately there's not really anything I can do right now.
mtorromeo
commented
2 years ago I'm having the same issue.
This will happen when trying to connect to any server with a recent version of openssh (with default settings) and so it will become more and more urgent as it's not just a fedora deprecation but an openssh one.
Arch Linux is also shipping this version of openssh.
wdavidw
commented
2 years ago Same problem on my side with Arch Linux. I have been running unit tests on arch for years with nikita. The majority of the tests run with a local SSH connection. Lately, I trash all my docker images and couldn't run the tests which were using an Arch Linux image while the ssh command works from inside the container. Here are the steps to reproduce the issue:
docker run -it --rm archlinux:latest /bin/bash
pacman --noconfirm -Syu
pacman --noconfirm -S openssh nodejs npm
ssh -V | grep 'OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021'
cd /root/
/usr/bin/ssh-keygen -A
ssh-keygen -t rsa -f ~/.ssh/id_rsa -N ''
cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
/usr/sbin/sshd
ssh root@127.0.0.1 whoami | grep root
mkdir test
npm init -y
npm install ssh2
cat <<JS >test.js
const { readFileSync } = require('fs');
const { Client } = require('ssh2');
const conn = new Client();
conn.on('ready', () => {
console.log('Client :: ready');
conn.shell((err, stream) => {
if (err) throw err;
stream.on('close', () => {
console.log('Stream :: close');
conn.end();
}).on('data', (data) => {
console.log('OUTPUT: ' + data);
});
stream.end('ls -l\nexit\n');
});
}).connect({
host: '127.0.0.1',
port: 22,
username: 'root',
privateKey: readFileSync('/root/.ssh/id_rsa'),
debug: (s) => {console.log(s)}
});
JS
node test.jsOutput is:
Custom crypto binding not available
Local ident: 'SSH-2.0-ssh2js1.5.0'
Client: Trying 127.0.0.1 on port 22 ...
Socket connected
Remote ident: 'SSH-2.0-OpenSSH_8.8'
Outbound: Sending KEXINIT
Inbound: Handshake in progress
Handshake: (local) KEX method: curve25519-sha256@libssh.org,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512
Handshake: (remote) KEX method: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Handshake: KEX algorithm: curve25519-sha256@libssh.org
Handshake: (local) Host key format: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Handshake: (remote) Host key format: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
Handshake: Host key format: ssh-ed25519
Handshake: (local) C->S cipher: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
Handshake: (remote) C->S cipher: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Handshake: C->S Cipher: aes128-gcm@openssh.com
Handshake: (local) S->C cipher: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
Handshake: (remote) S->C cipher: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Handshake: S->C cipher: aes128-gcm@openssh.com
Handshake: (local) C->S MAC: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: (remote) C->S MAC: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: C->S MAC: <implicit>
Handshake: (local) S->C MAC: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: (remote) S->C MAC: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Handshake: S->C MAC: <implicit>
Handshake: (local) C->S compression: none,zlib@openssh.com,zlib
Handshake: (remote) C->S compression: none,zlib@openssh.com
Handshake: C->S compression: none
Handshake: (local) S->C compression: none,zlib@openssh.com,zlib
Handshake: (remote) S->C compression: none,zlib@openssh.com
Handshake: S->C compression: none
Outbound: Sending KEXECDH_INIT
Received DH Reply
Host accepted by default (no verification)
Host accepted (verified)
Outbound: Sending NEWKEYS
Inbound: NEWKEYS
Verifying signature ...
Verified signature
Handshake completed
Outbound: Sending SERVICE_REQUEST (ssh-userauth)
Inbound: Received SERVICE_ACCEPT (ssh-userauth)
Outbound: Sending USERAUTH_REQUEST (none)
Inbound: Received USERAUTH_FAILURE (publickey,password)
Client: none auth failed
Outbound: Sending USERAUTH_REQUEST (publickey -- check)
Inbound: Received USERAUTH_FAILURE (publickey,password)
Client: publickey auth failed
node:events:368
throw er; // Unhandled 'error' event
^
Error: All configured authentication methods failed
at doNextAuth (/root/test/node_modules/ssh2/lib/client.js:803:21)
at tryNextAuth (/root/test/node_modules/ssh2/lib/client.js:993:7)
at USERAUTH_FAILURE (/root/test/node_modules/ssh2/lib/client.js:373:11)
at 51 (/root/test/node_modules/ssh2/lib/protocol/handlers.misc.js:337:16)
at Protocol.onPayload (/root/test/node_modules/ssh2/lib/protocol/Protocol.js:2025:10)
at AESGCMDecipherNative.decrypt (/root/test/node_modules/ssh2/lib/protocol/crypto.js:987:26)
at Protocol.parsePacket [as _parse] (/root/test/node_modules/ssh2/lib/protocol/Protocol.js:1994:25)
at Protocol.parse (/root/test/node_modules/ssh2/lib/protocol/Protocol.js:293:16)
at Socket.<anonymous> (/root/test/node_modules/ssh2/lib/client.js:713:21)
at Socket.emit (node:events:390:28)
Emitted 'error' event on Client instance at:
at Socket.<anonymous> (/root/test/node_modules/ssh2/lib/client.js:715:20)
at Socket.emit (node:events:390:28)
at addChunk (node:internal/streams/readable:324:12)
at readableAddChunk (node:internal/streams/readable:297:9)
at Socket.Readable.push (node:internal/streams/readable:234:10)
at TCP.onStreamRead (node:internal/stream_base_commons:199:23) {
level: 'client-authentication'
}
Node.js v17.1.0Note, it works with an older version of Arch, eg echo 'Server=https://archive.archlinux.org/repos/2021/05/01/$repo/os/$arch' > /etc/pacman.d/mirrorlist on container start and when ssh -V is OpenSSH_8.6p1, OpenSSL 1.1.1l 24 Aug 2021.
Dzieni
commented
2 years ago @mscdex
If I understand correctly - while we cannot get a list of PubkeyAcceptedAlgorithms, we could:
So we'd need a configuration option similar to kex or cipher, but related to private key area, right?
axkibe
commented
2 years ago I guess this in relation to this: https://www.reddit.com/r/linuxquestions/comments/qgmnnh/ssh_key_no_mutual_signature_algorithm/ https://levelup.gitconnected.com/demystifying-ssh-rsa-in-openssh-deprecation-notice-22feb1b52acd
Meaning right now I'll have to tell affected users (using Arch) to use an ed25519 key or explicitly enable "PubkeyAcceptedKeyTypes=+ssh-rsa" in their .ssh/config file.
jmichiel
commented
2 years ago I also got bitten by this. I implemented SSH with this library in a testtool for an embedded device which worked perfectly. However, the firmware of the embedded device got an update of OpenSSH (for security reasons), but now we're forced to enable ssh-rsa again via the SSH config or the testtool stops working... I'm willing to have a crack at it myself, but alas I'm afraid I don't know enough of SSH to know even where to start looking... I believe this is where 'ssh-rsa' is passed to the server and should be something else (rsa-sha2-512)? Should the payload be re-hashed as well then?
axkibe
commented
2 years ago I didn't go into the code in detail, I believe the issue is, in the beginning of the ssh session there is a handshake about the capabilities, and right now with this library they agree to not use rsa signatures.
The funny thing with current/some openssh client is, they ignore the handshake and ask the server the rsa key signature anyway.. and then the server says, yes well actually it's fine.. while some newer versions respect the handshake and wont try it, unless you config them to.
So what I believe needs fixing is the handshake.
Axent96
commented
2 years ago I have same problem with privateKey : Sending USERAUTH_REQUEST (none) Received USERAUTH_FAILURE (publickey) none auth failed
Axent96
commented
2 years ago It works for me in the way:
let sftpConfig = { host: 'aHost', port: 22, username: 'username' }; sftpConfig.authHandler = function (methodsLeft, partialSuccess, callback) { callback({ type: 'publickey', username: 'username', key: 'a privateKey', passphrase: 'passphrase' }); sftp.connect(sftpConfig)....
Username must be in both parts in config & in authHandler function.
jmichiel
commented
2 years ago That doesn't work for me.
I also have some python code connecting to the same devices using Paramiko, and I also needed to update it to the latest version to get it going. After some debugging there, it seems paramiko is effectively re-encrypting the public key using rsa-sha2-512 before sending it
jmichiel
commented
2 years ago I guess this in relation to this: https://www.reddit.com/r/linuxquestions/comments/qgmnnh/ssh_key_no_mutual_signature_algorithm/ https://levelup.gitconnected.com/demystifying-ssh-rsa-in-openssh-deprecation-notice-22feb1b52acd
Meaning right now I'll have to tell affected users (using Arch) to use an ed25519 key or explicitly enable "PubkeyAcceptedKeyTypes=+ssh-rsa" in their .ssh/config file.
I our case, adding PubkeyAcceptedAlgorithms=+ssh-rsa did the trick.
shobekhan
commented
2 years ago The following steps worked for me on ubuntu server 22.04 LTS
Open file "/etc/ssh/sshd_config"
Add the line below PubkeyAcceptedKeyTypes=+ssh-rsa
Restart the service sshd sudo systemctl restart sshd.service
try again and hope it will work
subtletech
commented
2 years ago I'm in a weird situation here. Editing /etc/ssh/sshd_config is not an option for me, as well as changing keys to ed25519.
Logging in to the servers works fine for me through command line ssh (or putty). But ssh2 on nodejs fails. I kinda understand the reasoning behind this behavior, but we really need to have a wordaround on ssh2 side, not on server side.
Eugeny
commented
2 years ago IMO OpenSSH is the industry standard, and if it violates the spec (unfortunately) any library aiming to be the primary SSH implementation for a given platform has to either follow suit, or provide a "quirks mode" flag that would enable OpenSSH compatible behaviour.
Spec compat is cool, but real use comes first.
imseon
commented
2 years ago The following steps worked for me on ubuntu server 22.04 LTS
Open file "/etc/ssh/sshd_config"
Add the line below PubkeyAcceptedKeyTypes=+ssh-rsa
Restart the service sshd sudo systemctl restart sshd.service
try again and hope it will work
Thanks! Worked for me, too
harshit-kyal
commented
2 years ago Thanks worked for me! Saved my day.
mdanialr
commented
2 years ago dude @shobekhan you save my ass. after almost an hour its got fixed finally. so the summary is because the current Ubuntu 22 is using the newest SSH but this pkg does not support that yet?? because when i use with Rocky 8.5 its just fine though.. :disappointed:
voxsoftware
commented
2 years ago Same Issue. Cannot connect from ssh2 module, but works with ssh command line
Adding this: PubkeyAcceptedKeyTypes=+ssh-rsa to /etc/ssh/sshd_config works around the problem, but, will be available any fix to ssh2 npm module?
theophilusx
commented
2 years ago From what I can understand of this issue, openSSH has deprecated support for ssh-rsa because it uses sha1 for transport and the cost to compromise are now within the realms of possibility. Therefore, adding back ssh-rsa support to sshd_config is likely not a great idea.
However, apparently rsa-sh2-256 uses the same keys (but sha2 for transport) and can therefore be used with existing rsa keys i.e. no need to regenerate new keys. This makes me wonder if you could get around the issue by simply removing ssh-rsa as one of the supported algorithms in the client configuration. This should force the use of rsa-sha2-256 and as current versions of openSSH support this by default, there should be no need to modify sshd configurations (unless your running an old version of openssh of course).
I guess this moduel should remove ssh-rsa support - or at least mark it as deprecated and not have it enabled by default.
BTW for those who did add ssh-rsa to their sshd config and it didn't work, be aware that some Linux distributions (noteably those derived from RedHat) have an additional crypto policy enforcement service. This means that making changes to your sshd_config file will have no effect if the changes you make are attempting to alter the crypto policy on the server and you do not also update the configuration of the policy.
Yos6969
commented
2 years ago I get the error message "wrong signature type : ssh-rsa expected : rsa-sha2-512" when I try to connect server using module ssh2. I try to fix it by updating the version of libssh on server from 0.7.6 to 0.9.6. It works!
alanhe421
commented
2 years ago Thanks the commit https://github.com/mscdex/ssh2/pull/1200
fixed.
drmrbrewer
commented
2 years ago I'm having this problem in Ubuntu 22.04 (at both ends of the connection) and it would be great to have a fix! EDIT... or... using ssh keys based on ed25519 rather than rsa (i.e. generate with ssh-keygen -t ed25519) makes ssh2 work fine with Ubuntu 22.04... so I'm good to go again!
qishibo
commented
2 years ago any updates?
germankrause
commented
2 years ago Had the same problem with Ubuntu 22.04. Solved by downgrading Ubuntu to 20.04.
DanielBlancoMS
commented
2 years ago Hello, any updates regarding this issue? Is there an ETA for the fix?
Best Regards
DanielBlancoMS
commented
2 years ago Hello, any updates regarding this issue? Is there an ETA for the fix?
Is there any information you can share to us?
Best Regards
mscdex
commented
2 years ago @DanielBlancoMS No ETA. Besides, I heartily suggest people use ed25519 keys where possible, for reasons beyond this particular issue.
axkibe
commented
1 year ago Strange, I just thought I'll look into this a little more detailed. I cannot reproduce this issue with an Ubuntu 22.10 ssh client (openssh 1:9.0p1-ubuntu) to mscdex/ssh2 working as ssh server. rsa works as it previously had. Seems there was only a window in openssh versions where this was an issue?
jmichiel
commented
1 year ago @axkibe : I had the issue using it the other way round: ssh2 as client, embedded linux device as server.
mscdex
commented
1 year ago I had some time to take a crack at this and decided to mostly go with how the OpenSSH client does things, with the exception being that the sha1-based RSA offer will be sent if the server does not send a server-sig-algs extension, for greater backwards compatibility.
For ssh2 servers, ctx.key.algo will always be 'ssh-rsa' for RSA keys and a ctx.hashAlgo will now be available to make things a bit easier. Technically this would be a breaking change, but the only situation I can think of where this would be a problem would be clients sending sha2-based RSA offers (perhaps via trial and error) and implementors checking that ctx.key.algo against those sha2-based RSA signature names. Seeing as most SSH clients either only send 'ssh-rsa' or at least support server-sig-algs, I don't think this should be a problem, so the proposed changes won't need to land in a new major version.
If anyone wants to give it a try, feel free to checkout the ext_info branch and let me know how it works for you.
stevenyap
commented
1 year ago @mscdex This branch works for me.
robertcoopercode
commented
1 year ago @mscdex a member on our team (@bryan-hunter) tried your branch and it solved our issue. Thanks!
petermlyon
commented
1 year ago @mscdex THANKS SO MUCH FOR THIS
(it works a treat)
jmichiel
commented
1 year ago Doesn't seem to help in my case... I'm using SSH2 as a client to connect to an OpenSSH 8.8p1 server. It used to work on older versions of OpenSSH with default config. The only way to make it work is to change the OpenSSH config to allow ssh-rsa, which is suboptimal, as paramiko (python lib) seems to be able to work with the exact same key with a default OpenSSH config...
I am try to connect to a DigitalOcean droplet with ssh2.
Here's my code:
ssh2 fails with the following log:
And here's what
ssh -vvv root@xxx.xxx.xxx.xxx echo helloshows me:Is there another argument in
connect()that I need to include?