Open netdiver opened 5 months ago
By accident I today found the github repo of net-ssh https://github.com/net-ssh/net-ssh and found out that the KEX algorithm curve25519-sha256 can be supported only adding another ruby gem to the package:
https://github.com/net-ssh/net-ssh?tab=readme-ov-file#key-exchange
Name | Support | Details |
---|---|---|
curve25519-sha256 | OK | Require the gem x25519 |
As I'm not a Ruby developer I am just asking to add this gem to the Oxidized package and to the Oxidized Docker image. Or I can contribute to this if someone gives some directions. Thanks in advance!
I've had a fiddle with this myself. I've forked the repo, added the dependency on x25519 and reinstalled oxidized from my forked repo.
I've changed the oxidized config so that I have the ssh kex mapped and then in my router.db I have specified the KEX to be curve25519-sha256 for the WatchGuard I have here.
Unfortunately it still doesn't connect correctly. Either I have done something wrong or there is more needed to support this properly.
Thank you for trying it out. So that's not the solution to this problem... Could it be that curve25519-sha256@libssh.org is not the same as curve25519-sha256 ??? Or better, the different naming is not supported by Net::SSH ???
It seems that the name of the algorithm was initially curve25519-sha256@libssh.org and then has been changed in curve25519-sha256. It is possible that Net::SSH does not support the old name.
@EvilGrinUK can you look in the log if the curve25519-sha256 (without @libssh.org) is offered to the server after your modifications? In particular in the line that begins with "Client kex preferences:"
Maybe I'm wrong. Here the gem: https://github.com/net-ssh/net-ssh/blob/f54a2270dba3974081663b9780b493ed8d332a07/lib/net/ssh/transport/kex.rb#L28 seems to offer the same algorithm for both names.
and the last commit is from three years ago, so it has to be working!
Hi
Is it known any workaround for this ?
W, [2024-07-08T09:20:28.206712 #30] WARN -- : 10.x.y.z raised Net::SSH::Exception (rescued RuntimeError) with msg "could not settle on kex algorithm
Server kex preferences: curve25519-sha256@libssh.org
Client kex preferences: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"
Running into the same problem
Hi all, I am experiencing this issue: Oxidized can't connect to a Watchguard Firewall via SSH with these log entries:
I am using latest image from docker hub, version 0.29.1-148
Watchguard hardened security of the SSH connection with the 12.8.2 Update 1 of firewareOS, and it matches with last date of successful connection to the device.
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S00000110lISAQ&lang=en_US