Open D3SL opened 10 months ago
jeroen
commented
10 months ago Which server are you connecting to? Is this a really old OS?
The ssh package uses libssh which is a different from what is used by your local git/ssh commands. I think it ssh-rsa is not the same as ssh-rsa, you specifically need the sha2 version.
D3SL
commented
10 months ago Hi Jeroen. As I said in the first line of my post:
When trying to connect to a CentOS machine from Windows I receive the following error...
CentOS7 is not the newest operating system but it hasn't reached end of life yet and is still supported. Additionally this is a new error, I've been using this package for some time without issue.
D3SL
commented
10 months ago Centos7 is not end of life yet, it is still supported. And as I said I've been using this package for some time now without issue, I've just noticed it now after having recently updated R and all packages.
jeroen
commented
10 months ago CentOS7 is not the newest operating system but it hasn't reached end of life yet and is still supported. Additionally this is a new error, I've been using this package for some time without issue.
Yes I suspect libssh has disabled the unsafe algorithms in a recent update. I'll try to find a workaround for you.
D3SL
commented
10 months ago I think the issue is something else. I just checked with ssh -vv on the destination machines and these servers should absolutely support newer safer algorithms., at least if I'm reading this correctly. For some reason libssh from windows 10 to Centos7 can't seem to see these supported algorithms though:
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,umac-128-etm@openssh.com
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,umac-128-etm@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.comand another machine:
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbcSo at what version of updating the R package did this problem start appearing?
D3SL
commented
10 months ago On windows I've got the R package v0.9.1 linking to libssh 0.10.5, and currently working in an ubuntu docker container I have R package version 0.8.2 linking to lissh 0.9.6.
For some reason R-ssh 0.9.1 and libssh 0.10.5 is seeing only ssh-rsa and ssh-dss on the target machine, even though it reports the following algorithms which overlap with the list given by R-ssh on my windows machine:
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
rsa-sha2-256
rsa-sha2-512
ssh-ed25519
sk-ssh-ed25519@openssh.comFor thoroughness here is a verbose output from R on the working ubuntu docker container:
ssh_connect: libssh 0.9.6 (c) 2003-2021 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_pthread
ssh_socket_connect: Nonblocking connection socket: 3
ssh_connect: Socket connecting, now waiting for the callbacks to work
socket_callback_connected: Socket connection callback: 1 (0)
ssh_client_connection_callback: SSH server banner: SSH-2.0-OpenSSH_5.3
ssh_analyze_banner: Analyzing banner: SSH-2.0-OpenSSH_5.3
ssh_analyze_banner: We are talking to an OpenSSH client version: 5.3 (50300)
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_kex_select_methods: Negotiated diffie-hellman-group-exchange-sha256,ssh-rsa,aes256-ctr,aes256-ctr,hmac-sha2-256,hmac-sha2-256,none,none,,
ssh_packet_client_dhgex_group: SSH_MSG_KEX_DH_GEX_GROUP received
ssh_packet_client_dhgex_reply: SSH_MSG_KEX_DH_GEX_REPLY received
ssh_init_rekey_state: Set rekey after 4294967296 blocks
ssh_init_rekey_state: Set rekey after 4294967296 blocks
ssh_packet_client_dhgex_reply: SSH_MSG_NEWKEYS sent
ssh_packet_newkeys: Received SSH_MSG_NEWKEYS
ssh_packet_newkeys: Signature verified and valid
Found known server key: XXXXX
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
ssh_pki_import_pubkey_file: Error opening /root/.ssh/id_ed25519.pub: No such file or directory
ssh_pki_import_privkey_file: Error opening /root/.ssh/id_ed25519: No such file or directory
ssh_pki_import_pubkey_file: Error opening /root/.ssh/id_ecdsa.pub: No such file or directory
ssh_pki_import_privkey_file: Error opening /root/.ssh/id_ecdsa: No such file or directory
ssh_pki_import_pubkey_file: Error opening /root/.ssh/id_rsa.pub: No such file or directory
ssh_pki_import_privkey_file: Error opening /root/.ssh/id_rsa: No such file or directory
ssh_pki_import_pubkey_file: Error opening /root/.ssh/id_dsa.pub: No such file or directory
ssh_pki_import_privkey_file: Error opening /root/.ssh/id_dsa: No such file or directory
ssh_userauth_publickey_auto: Tried every public key, none matchedDoes the verbose output on Windows show any hints why other methods are not considered?
D3SL
commented
10 months ago Here's the verbose output of my win10 computer with the latest R package trying to connect to the same remote as the previous log.
ssh_pki_import_privkey_base64: Trying to decode privkey passphrase=false
ssh_pki_openssh_import: Opening OpenSSH private key: ciphername: none, kdf: none, nkeys: 1
ssh_config_parse_line: Unsupported option: AddKeysToAgent, line: 5
ssh_connect: libssh 0.10.5 (c) 2003-2023 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_pthread
ssh_socket_connect: Nonblocking connection socket: 32740
ssh_connect: Socket connecting, now waiting for the callbacks to work
socket_callback_connected: Socket connection callback: 1 (0)
ssh_client_connection_callback: SSH server banner: SSH-2.0-OpenSSH_5.3
ssh_analyze_banner: Analyzing banner: SSH-2.0-OpenSSH_5.3
ssh_analyze_banner: We are talking to an OpenSSH server version: 5.3 (50300)
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_kex_select_methods: kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com]
Error: libssh failure at 'connect': kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss], client [rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com]
When trying to connect to a CentOS machine from Windows I receive the following error:
However when I check in cmd, git bash, and powershell I see that I do have ssh-rsa in the lists and interestingly don't have some of the algorithms listed for by R's SSH package.
CMD:
Git Bash: