search

shazow / ssh-chat

Chat over SSH.
https://shazow.net/posts/ssh-how-does-it-even/
MIT License
5.59k stars 408 forks source link

Support ed25519 #370

Closed SuperSandro2000 closed 3 years ago

SuperSandro2000 commented 3 years ago

Expected Behavior

The server should support ed25519.

Actual Behavior

It only accepts RSA.

Steps to reproduce behavior

Try to connect without a RSA algorithm in KexAlgorithms.

Additional Comments

shazow commented 3 years ago

What version are you using?

SuperSandro2000 commented 3 years ago

I tried to connect to ssh ssh.chat..

shazow commented 3 years ago 
shazow@shazowic-corvus ~/projects/ssh-chat $ ssh-keygen -f test.key -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test.key
Your public key has been saved in test.key.pub
The key fingerprint is:
SHA256:/neGe84HC0ou5qnipmja2jidV2n7zQvgjSqADuCVG6o shazow@shazowic-corvus
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|                 |
|    .            |
|.  +             |
|+ o o ..S        |
|+o . .+=  . . .  |
|+o . oo.+o . o o |
|EB+ +.. o*o o.= .|
|Bo+*o..=+.=o.*o. |
+----[SHA256]-----+
shazow@shazowic-corvus ~/projects/ssh-chat $ ssh -v -i test.key ssh.chat
OpenSSH_8.4p1, OpenSSL 1.1.1i  8 Dec 2020
debug1: Reading configuration data /home/shazow/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 5: Applying options for *
debug1: Connecting to ssh.chat [104.131.112.139] port 22.
debug1: Connection established.
debug1: identity file test.key type 3
debug1: identity file test.key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version Go ssh-chat
debug1: no match: Go ssh-chat
debug1: Authenticating to ssh.chat:22 as 'shazow'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:HQDLlZsXL3t0lV5CHM0OXeZ5O6PcfHuzkS8cRbbTLBI
debug1: Host 'ssh.chat' is known and matches the RSA host key.
debug1: Found key in /home/shazow/.ssh/known_hosts:38
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: shazow@shazowic-corvus ED25519 SHA256:2D7rJe3udrs8R6fyiRyUzPtTWxCAze6zIoB5mZ+4Cbs agent
debug1: Will attempt key: test.key ED25519 SHA256:/neGe84HC0ou5qnipmja2jidV2n7zQvgjSqADuCVG6o explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: shazow@shazowic-corvus ED25519 SHA256:2D7rJe3udrs8R6fyiRyUzPtTWxCAze6zIoB5mZ+4Cbs agent
debug1: Server accepts key: shazow@shazowic-corvus ED25519 SHA256:2D7rJe3udrs8R6fyiRyUzPtTWxCAze6zIoB5mZ+4Cbs agent
debug1: Authentication succeeded (publickey).
Authenticated to ssh.chat ([104.131.112.139]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
 * Welcome to ssh-chat
SuperSandro2000 commented 3 years ago 
$ ssh ssh.chat -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Unable to negotiate with 104.131.112.139 port 22: no matching host key type found. Their offer: ssh-rsa
shazow commented 3 years ago

What version is your ssh client? How did you generate your key?

$ ssh -v -i test.key -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 ssh.chat
OpenSSH_8.4p1, OpenSSL 1.1.1i  8 Dec 2020
debug1: Reading configuration data /home/shazow/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 5: Applying options for *
debug1: Connecting to ssh.chat [104.131.112.139] port 22.
debug1: Connection established.
debug1: identity file test.key type 3
debug1: identity file test.key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version Go ssh-chat
debug1: no match: Go ssh-chat
debug1: Authenticating to ssh.chat:22 as 'shazow'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:HQDLlZsXL3t0lV5CHM0OXeZ5O6PcfHuzkS8cRbbTLBI
debug1: Host 'ssh.chat' is known and matches the RSA host key.
debug1: Found key in /home/shazow/.ssh/known_hosts:38
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: shazow@shazowic-corvus ED25519 SHA256:2D7rJe3udrs8R6fyiRyUzPtTWxCAze6zIoB5mZ+4Cbs agent
debug1: Will attempt key: test.key ED25519 SHA256:Z+Z1VabqZnWgSwaQjBcj+4sHZ1nEobxKvV5ESrhvF5I explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: shazow@shazowic-corvus ED25519 SHA256:2D7rJe3udrs8R6fyiRyUzPtTWxCAze6zIoB5mZ+4Cbs agent
debug1: Server accepts key: shazow@shazowic-corvus ED25519 SHA256:2D7rJe3udrs8R6fyiRyUzPtTWxCAze6zIoB5mZ+4Cbs agent
debug1: Authentication succeeded (publickey).
Authenticated to ssh.chat ([104.131.112.139]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
 * Welcome to ssh-chat, enter /help for more.
SuperSandro2000 commented 3 years ago

What version is your ssh client? How did you generate your key?

That is irrelevant and has nothing to do with the problem here. Your server only accepts rsa keys which I do not have enabled.

shazow commented 3 years ago

Do the logs I pasted from my client not demonstrate that the server accepts an ED25519 key?

SuperSandro2000 commented 3 years ago

Do the logs I pasted from my client not demonstrate that the server accepts an ED25519 key?

I actually pasted the wrong command. You can reproduce it with easily

Does work:

ssh ssh.chat -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256,ssh-rsa-cert-v01@openssh.com,ssh-rsa

Does not work:

ssh ssh.chat -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256,ssh-rsa-cert-v01@openssh.com
shazow commented 3 years ago

That's the host key. ssh.chat has an RSA host key. Of course not accepting RSA keys won't let you connect to a host that has an RSA key.

SuperSandro2000 commented 3 years ago

Every openssh-server setup in the last years supports ed25519.

shazow commented 3 years ago

As I said, ssh-chat supports ed25519 also.

The public server that I've been operating for 6 years happens to use an RSA key, even though it supports ED25519 keys as well.

If you want to run a server with an ed25519 key, there is nothing stopping you.