No connectivity against recent OpenSSH 8.2

[mirabilos]

I’m trying to use vx.connectbot from F-Droid to upload files to my laptop over WLAN and see this in syslog on the laptop, running Debian unstable:

sshd[11179]: Unable to negotiate with 192.168.178.24 port 42928: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]

OpenSSH 8.2 only offers these KexAlgorithms by default:

curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256

Please implement diffie-hellman-group-exchange-sha256, should be closest to what already exists.

[DmitryBurstein]

Having the same problem on Fedora 32 with OpenSSH 8.3p1

[hyc]

Use the vx-connectbot-1.7.1-41-beta.apk from the home page http://connectbot.vx.sk/

[tovine]

Same thing applies to current Debian stable, this needs to be updated or this app is essentially broken in 2021

[hyc]

Also the beta APK seems to only work well the first time it's run. Usually after that it hangs after the session handshake. I have to kill it and restart it multiple times for it to work after that.

The original Connectbot project works well in this respect, but the rest of its UI is horrible. Screen size/rotation changes don't work well, and so many of the useful VX menu items are of course absent. Would be nice to put their up to date SSH backend into VX Connectbot.

[bmomjian]

Debian's current stable release, Bullseye, also fails with this problem, even using Android vx-connectbot-1.7.1-41-beta.apk. I had to modify sshd_config on Debian to fix it.

[mirabilos]

Bruce Momjian dixit:

modify sshd_config on Debian to fix it.

Care to share what modification(s) are necessary?

Thanks, //mirabilos --

you introduced a merge commit │ % g rebase -i HEAD^^ sorry, no idea and rebasing just fscked │ Segmentation should have cloned into a clean repo │ fault (core dumped) if I rebase that now, it's really ugh │ wuahhhhhh

[bmomjian]

Sure. I found the proper fix on the Debian lists at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952687. The addition to /etc/ssh/sshd_config was:

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1

Ubuntu had a similar fix at https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1877496 but it didn't work consistently. The line was: KexAlgorithms +diffie-hellman-group14-sha1

[hyc]

I've restructured the VXConnectbot source code so that it builds with modern Android Studio, here https://github.com/hyc/vxconnectbot

I've then modified it to use https://github.com/connectbot/sshlib which has been updated with newer encryption algorithms.

I now have a working Debug APK for myself. There's one glitch on the initial Host screen, the input box for typing in your user@hostname isn't being drawn fully. But you can put garbage in and then edit the host afterward. I'll see if I can figure out why the display is glitched there, but the rest is working.

[bmomjian]

That is great news. I started looking for alternatives to this app after it wasn't being updated and never found something with similar features, so it would be good to get this app updated.

[hyc]

Note that you'll need to uninstall your existing version before you can install the debug build. You should probably back up your settings first.

Maybe we can get @mmatuska motivated to synch up and release a new official binary.

[hyc]

I've uploaded an APK that you can use as well. https://github.com/hyc/vxconnectbot/releases/tag/v1.7.1-50

[bmomjian]

As much as I prefer xvconnectbot over connectbot, the connectbot developers have restarted development, and I need ed25519 keys, so I am going to switch back to that. The most recent connectbot commit was on June 10, 2023.

[hyc]

I don't understand - the update I posted supports ed25519 keys. Did it not work for you?

[bmomjian]

Sorry i was not clear. I have been using vx-connectbot for years as unsupported software and installing a build that even fewer people use was just too risky for a security-critical application like ssh. Sorry. I decided to move back to connectbot for that reason.