Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh-keyscan can choose unsupported KEX algorithm #2140

Open
3 tasks done
heidelman opened this issue Sep 12, 2023 · 10 comments · May be fixed by PowerShell/openssh-portable#756
Open
3 tasks done

ssh-keyscan can choose unsupported KEX algorithm #2140

heidelman opened this issue Sep 12, 2023 · 10 comments · May be fixed by PowerShell/openssh-portable#756
Labels
Investigate

Comments

@heidelman
Copy link

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

The ssh-keyscan.exe client application can propose unsupported KEX algorithms, notably [email protected]. The server (if it also supports sntrup) will also propose sntrup. However, ssh-keyscan.exe will then fail in choose_kex with the error:
choose_kex: unsupported KEX method [email protected]
That KEX algorithm requires a C99 compiler and is hidden behind a #if in defines.h.

ssh.exe and sshd.exe do not have this issue, because only supported KEX algorithms are proposed using the function match_filter_allowlist.

Client requirement: Win32-OpenSSH version 9.2 (a merge in 9.1 moved sntrup to the top of the preferred KEX list)
Server requirement: Linux (for enabled [email protected] support) OpenSSH version >=8.9 (where sntrup support was added)

ssh.exe -V
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2

ssh-keyscan.exe -vvv ip

Expected behavior

ssh-keyscan.exe should not claim to support [email protected].

Actual behavior

debug1: kex: algorithm: [email protected]
choose_kex: unsupported KEX method [email protected]
debug2: local client KEXINIT proposal
debug2: KEX algorithms: [email protected]__,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Error details

full output:

debug1: CIDR range 192.168.1.181
debug1: CIDR expand: address 192.168.1.181
debug2: fd 3 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 2
debug2: fd 4 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 4
debug2: fd 5 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 8
debug2: fd 6 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 32
debug2: fd 7 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 64
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000
# 192.168.1.181:22 SSH-2.0-OpenSSH_8.9
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
choose_kex: unsupported KEX method [email protected]
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000

Environment data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

9.2p1

Visuals

No response
@AndrewSav
Copy link

Having the same issue with v9.4.0.0p1-Beta

@brainos233
Copy link

sntrup761x25519 needs variable length arrays, see https://github.com/PowerShell/openssh-portable/blob/59aba65cf2e2f423c09d12ad825c3b32a11f408f/defines.h#L942

#if defined(VARIABLE_LENGTH_ARRAYS) && defined(VARIABLE_DECLARATION_AFTER_CODE)
# define USE_SNTRUP761X25519 1
#endif

But msvc does not support variable length arrays 😕

@AndrewSav
Copy link

If it's not supported it should not be proposed?

@triatic
Copy link

triatic commented Jun 16, 2024

I came across this issue when testing 9.5p1. I suppose I'll just go back to using 8.1p1 which is bundled with Windows 10.

@triatic
Copy link

triatic commented Oct 10, 2024

4 months later... 9.5p1 has been bundled into the latest update for Windows 10. I think a lot more people will be seeing this bug now.

@Peter-76
Copy link

Same here, have 9.5p1 now and my script that worked 2 days ago stopped working.

@tgauth tgauth linked a pull request Oct 11, 2024 that will close this issue
Open
@Brink2Three
Copy link

Same here, anything newer than 9.5p1 appears to break. Had to manually rollback to 8.9p1 on multiple machines as newer versions are also broken :(

$ ssh-keyscan -t rsa 10.xx.xx.xxx
# 10.xx.xx.xxx:22 SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
choose_kex: unsupported KEX method [email protected]

@kthy
Copy link

kthy commented Oct 28, 2024

Also just bitten by this. Is there a way to restrict the KEX list at runtime using flags, or does this essentially break ssh-keyscan until the PR is merged and released?

@tgauth
Copy link
Collaborator

tgauth commented Oct 28, 2024

Also just bitten by this. Is there a way to restrict the KEX list at runtime using flags, or does this essentially break ssh-keyscan until the PR is merged and released?

Yes, but the restriction has to be done via sshd, rather than ssh-keyscan as sshd_config has a KexAlgorithms directive

@kthy
Copy link

kthy commented Oct 28, 2024

Yeah, I figured out I could do that, but if I didn't control the sshd setup on the target server I would've been SOL.

Thanks @tgauth for doing the patch on this 👏 - hoping we'll see a patch release asap.

@MaineK00n MaineK00n mentioned this issue Nov 12, 2024
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Investigate
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

remove sntrup761x25519-sha512 from supported kex list tgauth/openssh-portable
9 participants
@kthy @AndrewSav @tgauth @maertendMSFT @Peter-76 @brainos233 @triatic @heidelman @Brink2Three