Oxidized can't connect to FirewareOS device after Fireware v12.8.2 Update 1 - could not settle on kex algorithm curve25519-sha256@libssh.org

ytti / oxidized

Oxidized is a network device configuration backup tool. It's a RANCID replacement!

Apache License 2.0

2.7k stars 911 forks source link

Oxidized can't connect to FirewareOS device after Fireware v12.8.2 Update 1 - could not settle on kex algorithm curve25519-sha256@libssh.org #3070

Open netdiver opened 5 months ago

netdiver commented 5 months ago

Hi all, I am experiencing this issue: Oxidized can't connect to a Watchguard Firewall via SSH with these log entries:

watchguard/firewall.example.com status no_connection, retry attempt 3
10.0.0.1 raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on kex algorithm
Server kex preferences: curve25519-sha256@libssh.org
Client kex preferences: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"

I am using latest image from docker hub, version 0.29.1-148

Watchguard hardened security of the SSH connection with the 12.8.2 Update 1 of firewareOS, and it matches with last date of successful connection to the device.

https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S00000110lISAQ&lang=en_US

netdiver commented 4 months ago

By accident I today found the github repo of net-ssh https://github.com/net-ssh/net-ssh and found out that the KEX algorithm curve25519-sha256 can be supported only adding another ruby gem to the package:

https://github.com/net-ssh/net-ssh?tab=readme-ov-file#key-exchange

Key Exchange

Name	Support	Details
curve25519-sha256	OK	Require the gem `x25519`

As I'm not a Ruby developer I am just asking to add this gem to the Oxidized package and to the Oxidized Docker image. Or I can contribute to this if someone gives some directions. Thanks in advance!

EvilGrinUK commented 4 months ago

I've had a fiddle with this myself. I've forked the repo, added the dependency on x25519 and reinstalled oxidized from my forked repo.

I've changed the oxidized config so that I have the ssh kex mapped and then in my router.db I have specified the KEX to be curve25519-sha256 for the WatchGuard I have here.

Unfortunately it still doesn't connect correctly. Either I have done something wrong or there is more needed to support this properly.

netdiver commented 4 months ago

Thank you for trying it out. So that's not the solution to this problem... Could it be that curve25519-sha256@libssh.org is not the same as curve25519-sha256 ??? Or better, the different naming is not supported by Net::SSH ???

It seems that the name of the algorithm was initially curve25519-sha256@libssh.org and then has been changed in curve25519-sha256. It is possible that Net::SSH does not support the old name.

netdiver commented 4 months ago

@EvilGrinUK can you look in the log if the curve25519-sha256 (without @libssh.org) is offered to the server after your modifications? In particular in the line that begins with "Client kex preferences:"

netdiver commented 4 months ago

Maybe I'm wrong. Here the gem: https://github.com/net-ssh/net-ssh/blob/f54a2270dba3974081663b9780b493ed8d332a07/lib/net/ssh/transport/kex.rb#L28 seems to offer the same algorithm for both names.

and the last commit is from three years ago, so it has to be working!

buzzzo commented 3 months ago

Is it known any workaround for this ?

volkermauel commented 1 week ago

W, [2024-07-08T09:20:28.206712 #30]  WARN -- : 10.x.y.z raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on kex algorithm
Server kex preferences: curve25519-sha256@libssh.org
Client kex preferences: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"

Running into the same problem