subject:"Re\: OpenWRT Dropbear v2020.80\: Exit before auth\: No matching algo kex"

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

2020-10-23 Thread Jamie Lokier

Walter Harms wrote:
> This is caused by changes in ssh_config. You can try:
>   ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USER@TARGET 
> 
> or persistent in ssh_config 
> KexAlgorithms=+diffie-hellman-group1-sha1 
> 
> your mileage may vary etc.
> 
> re,
>  wh

Thanks!

This advice has shown me how to connect directly to an old OpenSSH server again
(not Dropbear), instead of via intermediate hops on intermediate servers :)

However after reading [1] I decided a safer kex is diffie-hellman-group14-sha1
(group14 instead of group1).

Mentioning this in case it's also an option for old Dropbear/OpenWRT users.

[1] 
https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-09.html#rfc.section.3.4
"Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)".

Best,
-- Jamie

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

2020-10-23 Thread Matt Johnston

Forcing diffie-hellman-group1-sha1 shouldn't usually be necessary. 
The only case would be for servers prior to 2018.76 that compiled with all 
other default options disabled.

Cheers,
Matt

> On Fri 23/10/2020, at 9:00 pm, Tang Jiye  wrote:
> 
> Hi Walter,
> 
> What if I want to use ecdh and ecdsa for kex and signing while 
> diffie-hellman-group1-sha1 is disabled.
> 
> It should work as well right ?
> 
> Jiye
> 
> Walter Harms mailto:wha...@bfs.de>> 于2020年10月23日周五 上午5:24写道：
> This is caused by changes in ssh_config. You can try:
>   ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USER@TARGET 
> 
> or persistent in ssh_config 
> KexAlgorithms=+diffie-hellman-group1-sha1 
> 
> your mileage may vary etc.
> 
> re,
>  wh
> 
> Von: Dropbear [dropbear-boun...@ucc.asn.au 
> ] im Auftrag von Piotr Jurkiewicz 
> [piotr.jerzy.jurkiew...@gmail.com ]
> Gesendet: Donnerstag, 22. Oktober 2020 20:33
> An: dropbear@ucc.asn.au 
> Betreff: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex
> 
> Hi,
> 
> when trying to connect to OpenWRT router (mipsel_24kc architecture) with
> PyCharm (uses sshj v0.29.0 client library) I started to get the
> following error:
> 
>  Exit before auth from : No matching algo kex
> 
> I remember that couple of month ago it worked fine. I have downgraded
> Dropbear package on the router to version from the previous OpenWRT
> release (v2020.78) and indeed I am able to connect to it.
> 
> I have tried removing the ed25519 hostkey in v2020.80, but it does not help.
> 
> Below I am pasting hex dumps of negotiation on both versions:
> 
> Dropbear v2020.80 (No matching algo kex):
> 
>   53 53 48 2d 32 2e 30 2d  53 53 48 4a 5f 30 2e 32 SSH-2.0- SSHJ_0.2
> 0010  39 2e 30 0d 0a   9.0..
>    53 53 48 2d 32 2e 30 2d  64 72 6f 70 62 65 61 72 SSH-2.0-
> dropbear
>  0010  0d 0a 00 00 01 84 07 14  be 21 14 d9 76 eb d7 98 
> .!..v...
>  0020  a7 14 cd b1 ee ce 91 14  00 00 00 82 63 75 72 76 
> curv
>  0030  65 32 35 35 31 39 2d 73  68 61 32 35 36 2c 63 75 e25519-s
> ha256,cu
>  0040  72 76 65 32 35 35 31 39  2d 73 68 61 32 35 36 40 rve25519
> -sha256@
>  0050  6c 69 62 73 73 68 2e 6f  72 67 2c 64 69 66 66 69 libssh.o
> rg,diffi
>  0060  65 2d 68 65 6c 6c 6d 61  6e 2d 67 72 6f 75 70 31 e-hellma
> n-group1
>  0070  34 2d 73 68 61 32 35 36  2c 64 69 66 66 69 65 2d 4-sha256
> ,diffie-
>  0080  68 65 6c 6c 6d 61 6e 2d  67 72 6f 75 70 31 34 2d hellman-
> group14-
>  0090  73 68 61 31 2c 6b 65 78  67 75 65 73 73 32 40 6d sha1,kex
> guess2@m
>  00A0  61 74 74 2e 75 63 63 2e  61 73 6e 2e 61 75 00 00 att.ucc.
> asn.au..
>  00B0  00 20 73 73 68 2d 65 64  32 35 35 31 39 2c 72 73 . ssh-ed
> 25519,rs
>  00C0  61 2d 73 68 61 32 2d 32  35 36 2c 73 73 68 2d 72 a-sha2-2
> 56,ssh-r
>  00D0  73 61 00 00 00 33 63 68  61 63 68 61 32 30 2d 70 sa...3ch
> acha20-p
>  00E0  6f 6c 79 31 33 30 35 40  6f 70 65 6e 73 73 68 2e oly1305@
> openssh.
>  00F0  63 6f 6d 2c 61 65 73 31  32 38 2d 63 74 72 2c 61 com,aes1
> 28-ctr,a
>  0100  65 73 32 35 36 2d 63 74  72 00 00 00 33 63 68 61 es256-ct
> r...3cha
>  0110  63 68 61 32 30 2d 70 6f  6c 79 31 33 30 35 40 6f cha20-po
> ly1305@o
>  0120  70 65 6e 73 73 68 2e 63  6f 6d 2c 61 65 73 31 32 penssh.c
> om,aes12
>  0130  38 2d 63 74 72 2c 61 65  73 32 35 36 2d 63 74 72 8-ctr,ae
> s256-ctr
>  0140  00 00 00 17 68 6d 61 63  2d 73 68 61 31 2c 68 6d hmac
> -sha1,hm
>  0150  61 63 2d 73 68 61 32 2d  32 35 36 00 00 00 17 68 ac-sha2-
> 256h
>  0160  6d 61 63 2d 73 68 61 31  2c 68 6d 61 63 2d 73 68 mac-sha1
> ,hmac-sh
>  0170  61 32 2d 32 35 36 00 00  00 04 6e 6f 6e 65 00 00 a2-256..
> ..none..
>  0180  00 04 6e 6f 6e 65 00 00  00 00 00 00 00 00 00 00 ..none..
> 
>  0190  00 00 00 fd 9d 4e 7a a7  2d 49   .Nz. -I
> 0015  00 00 08 d4 07 14 71 12  38 a7 62 81 7d 79 63 ca ..q. 8.b.}yc.
> 0025  3c fb a3 f1 1e 8c 00 00  02 9c 63 75 72 76 65 32 <... ..curve2
> 0035  35 35 31 39 2d 73 68 61  32 35 36 2c 63 75 72 76 5519-sha 256,curv
> 0045  65 32 35 35 31 39 2d 73  68 61 32 35 36 40 6c 69 e25519-s ha256@li
> 0055  62 73 73 68 2e 6f 72 67  2c 64 69 66 66 69 65 2d bssh.org 
>  ,diffie-
> 0065  68 65 6c 6c 6d 61 6e 2d  67 72 6f 75 70 2d 65 78 hellman- group-ex
> 0075  63 68 61 6e 67 65 2d 73  68 61 32 35 36 2c 65 63 change-s ha256,ec
> 0085  64 68 2d 73 68 61 32 2d  6e 69 73 74 70 35 32 31 dh-sha2- nistp521
> 0095  2c 65 63 64 68 2d 73 68  61 32 2d 6e 69 73 74 70 ,ecdh-sh a2-nistp
> 00A5  33 38 34 2c 65 63 64 68  2d 73 68 61 32 2d 6e 69 384,ecdh -sha2-ni
> 00B5  73 74 70 32 35 36 2c

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

2020-10-23 Thread Tang Jiye

Hi Walter,

What if I want to use ecdh and ecdsa for kex and signing while
diffie-hellman-group1-sha1 is disabled.

It should work as well right ?

Jiye

Walter Harms  于2020年10月23日周五 上午5:24写道：

> This is caused by changes in ssh_config. You can try:
>   ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USER@TARGET
>
> or persistent in ssh_config
> KexAlgorithms=+diffie-hellman-group1-sha1
>
> your mileage may vary etc.
>
> re,
>  wh
> 
> Von: Dropbear [dropbear-boun...@ucc.asn.au] im Auftrag von Piotr
> Jurkiewicz [piotr.jerzy.jurkiew...@gmail.com]
> Gesendet: Donnerstag, 22. Oktober 2020 20:33
> An: dropbear@ucc.asn.au
> Betreff: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex
>
> Hi,
>
> when trying to connect to OpenWRT router (mipsel_24kc architecture) with
> PyCharm (uses sshj v0.29.0 client library) I started to get the
> following error:
>
>  Exit before auth from : No matching algo kex
>
> I remember that couple of month ago it worked fine. I have downgraded
> Dropbear package on the router to version from the previous OpenWRT
> release (v2020.78) and indeed I am able to connect to it.
>
> I have tried removing the ed25519 hostkey in v2020.80, but it does not
> help.
>
> Below I am pasting hex dumps of negotiation on both versions:
>
> Dropbear v2020.80 (No matching algo kex):
>
>   53 53 48 2d 32 2e 30 2d  53 53 48 4a 5f 30 2e 32 SSH-2.0-
> SSHJ_0.2
> 0010  39 2e 30 0d 0a   9.0..
>    53 53 48 2d 32 2e 30 2d  64 72 6f 70 62 65 61 72 SSH-2.0-
> dropbear
>  0010  0d 0a 00 00 01 84 07 14  be 21 14 d9 76 eb d7 98 
> .!..v...
>  0020  a7 14 cd b1 ee ce 91 14  00 00 00 82 63 75 72 76 
> curv
>  0030  65 32 35 35 31 39 2d 73  68 61 32 35 36 2c 63 75 e25519-s
> ha256,cu
>  0040  72 76 65 32 35 35 31 39  2d 73 68 61 32 35 36 40 rve25519
> -sha256@
>  0050  6c 69 62 73 73 68 2e 6f  72 67 2c 64 69 66 66 69 libssh.o
> rg,diffi
>  0060  65 2d 68 65 6c 6c 6d 61  6e 2d 67 72 6f 75 70 31 e-hellma
> n-group1
>  0070  34 2d 73 68 61 32 35 36  2c 64 69 66 66 69 65 2d 4-sha256
> ,diffie-
>  0080  68 65 6c 6c 6d 61 6e 2d  67 72 6f 75 70 31 34 2d hellman-
> group14-
>  0090  73 68 61 31 2c 6b 65 78  67 75 65 73 73 32 40 6d sha1,kex
> guess2@m
>  00A0  61 74 74 2e 75 63 63 2e  61 73 6e 2e 61 75 00 00 att.ucc.
> asn.au..
>  00B0  00 20 73 73 68 2d 65 64  32 35 35 31 39 2c 72 73 . ssh-ed
> 25519,rs
>  00C0  61 2d 73 68 61 32 2d 32  35 36 2c 73 73 68 2d 72 a-sha2-2
> 56,ssh-r
>  00D0  73 61 00 00 00 33 63 68  61 63 68 61 32 30 2d 70 sa...3ch
> acha20-p
>  00E0  6f 6c 79 31 33 30 35 40  6f 70 65 6e 73 73 68 2e oly1305@
> openssh.
>  00F0  63 6f 6d 2c 61 65 73 31  32 38 2d 63 74 72 2c 61 com,aes1
> 28-ctr,a
>  0100  65 73 32 35 36 2d 63 74  72 00 00 00 33 63 68 61 es256-ct
> r...3cha
>  0110  63 68 61 32 30 2d 70 6f  6c 79 31 33 30 35 40 6f cha20-po
> ly1305@o
>  0120  70 65 6e 73 73 68 2e 63  6f 6d 2c 61 65 73 31 32 penssh.c
> om,aes12
>  0130  38 2d 63 74 72 2c 61 65  73 32 35 36 2d 63 74 72 8-ctr,ae
> s256-ctr
>  0140  00 00 00 17 68 6d 61 63  2d 73 68 61 31 2c 68 6d hmac
> -sha1,hm
>  0150  61 63 2d 73 68 61 32 2d  32 35 36 00 00 00 17 68 ac-sha2-
> 256h
>  0160  6d 61 63 2d 73 68 61 31  2c 68 6d 61 63 2d 73 68 mac-sha1
> ,hmac-sh
>  0170  61 32 2d 32 35 36 00 00  00 04 6e 6f 6e 65 00 00 a2-256..
> ..none..
>  0180  00 04 6e 6f 6e 65 00 00  00 00 00 00 00 00 00 00 ..none..
> 
>  0190  00 00 00 fd 9d 4e 7a a7  2d 49   .Nz. -I
> 0015  00 00 08 d4 07 14 71 12  38 a7 62 81 7d 79 63 ca ..q.
> 8.b.}yc.
> 0025  3c fb a3 f1 1e 8c 00 00  02 9c 63 75 72 76 65 32 <...
> ..curve2
> 0035  35 35 31 39 2d 73 68 61  32 35 36 2c 63 75 72 76 5519-sha
> 256,curv
> 0045  65 32 35 35 31 39 2d 73  68 61 32 35 36 40 6c 69 e25519-s
> ha256@li
> 0055  62 73 73 68 2e 6f 72 67  2c 64 69 66 66 69 65 2d bssh.org
> ,diffie-
> 0065  68 65 6c 6c 6d 61 6e 2d  67 72 6f 75 70 2d 65 78 hellman-
> group-ex
> 0075  63 68 61 6e 67 65 2d 73  68 61 32 35 36 2c 65 63 change-s
> ha256,ec
> 0085  64 68 2d 73 68 61 32 2d  6e 69 73 74 70 35 32 31 dh-sha2-
> nistp521
> 0095  2c 65 63 64 68 2d 73 68  61 32 2d 6e 69 73 74 70 ,ecdh-sh
> a2-nistp
> 00A5  33 38 34 2c 65 63 64 68  2d 73 68 61 32 2d 6e 69 384,ecdh
> -sha2-ni
> 00B5  73 74 70 32 35 36 2c 64  69 66 66 69 65 2d 68 65 stp256,d
> iffie-he
> 00C5  6c 6c 6d 61 6e 2d 67 72  6f 75 70 2d 65 78 63 68 llman-gr
> oup-exch
> 00D5  61 6e 67 65 2d 73 68 61  31 2c 64 69 66 66 69 65 ange-sha
> 1,diffie
> 00E5  2d 68 65 6c 6c 6d 61 6e  2d 67 72 6f 75 70 31 2d -hellman
> -group1-
> 00F5  73 68 61 31 2c 64 69 66  66 69 65 2d 68 65 6c 6c sha1,dif
> fie-hell
> 0105  6d 61 6e 2d 67 72 6f 75  70

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

2020-10-23 Thread Matt Johnston

Hi Piotr,

Dropbear 2020.79 had some changes to the code that parses algorithms, it now is 
more strict about its MAX_PROPOSED_ALGO = 20 limit.
Not intentionally, but as a side-effect.

sshj advertises 30 different ciphers.

I've increased the limit to 50 in 
https://hg.ucc.asn.au/dropbear/rev/7c0fcd19e492 and it also prints a message if 
it is reached.

Someone else hit this same problem - I'll try and get a new release out soon.

Cheers,
Matt

> On Fri 23/10/2020, at 2:33 am, Piotr Jurkiewicz 
>  wrote:
> 
> Hi,
> 
> when trying to connect to OpenWRT router (mipsel_24kc architecture) with 
> PyCharm (uses sshj v0.29.0 client library) I started to get the following 
> error:
> 
>Exit before auth from : No matching algo kex
> 
> I remember that couple of month ago it worked fine. I have downgraded 
> Dropbear package on the router to version from the previous OpenWRT release 
> (v2020.78) and indeed I am able to connect to it.
> 
> I have tried removing the ed25519 hostkey in v2020.80, but it does not help.
> 
> Below I am pasting hex dumps of negotiation on both versions:
> 
> Dropbear v2020.80 (No matching algo kex):
> 
>   53 53 48 2d 32 2e 30 2d  53 53 48 4a 5f 30 2e 32 SSH-2.0- SSHJ_0.2
> 0010  39 2e 30 0d 0a   9.0..
>  53 53 48 2d 32 2e 30 2d  64 72 6f 70 62 65 61 72 SSH-2.0- 
> dropbear
>0010  0d 0a 00 00 01 84 07 14  be 21 14 d9 76 eb d7 98  
> .!..v...
>0020  a7 14 cd b1 ee ce 91 14  00 00 00 82 63 75 72 76  
> curv
>0030  65 32 35 35 31 39 2d 73  68 61 32 35 36 2c 63 75 e25519-s 
> ha256,cu
>0040  72 76 65 32 35 35 31 39  2d 73 68 61 32 35 36 40 rve25519 
> -sha256@
>0050  6c 69 62 73 73 68 2e 6f  72 67 2c 64 69 66 66 69 libssh.o 
> rg,diffi
>0060  65 2d 68 65 6c 6c 6d 61  6e 2d 67 72 6f 75 70 31 e-hellma 
> n-group1
>0070  34 2d 73 68 61 32 35 36  2c 64 69 66 66 69 65 2d 4-sha256 
> ,diffie-
>0080  68 65 6c 6c 6d 61 6e 2d  67 72 6f 75 70 31 34 2d hellman- 
> group14-
>0090  73 68 61 31 2c 6b 65 78  67 75 65 73 73 32 40 6d sha1,kex 
> guess2@m
>00A0  61 74 74 2e 75 63 63 2e  61 73 6e 2e 61 75 00 00 att.ucc. 
> asn.au..
>00B0  00 20 73 73 68 2d 65 64  32 35 35 31 39 2c 72 73 . ssh-ed 
> 25519,rs
>00C0  61 2d 73 68 61 32 2d 32  35 36 2c 73 73 68 2d 72 a-sha2-2 
> 56,ssh-r
>00D0  73 61 00 00 00 33 63 68  61 63 68 61 32 30 2d 70 sa...3ch 
> acha20-p
>00E0  6f 6c 79 31 33 30 35 40  6f 70 65 6e 73 73 68 2e oly1305@ 
> openssh.
>00F0  63 6f 6d 2c 61 65 73 31  32 38 2d 63 74 72 2c 61 com,aes1 
> 28-ctr,a
>0100  65 73 32 35 36 2d 63 74  72 00 00 00 33 63 68 61 es256-ct 
> r...3cha
>0110  63 68 61 32 30 2d 70 6f  6c 79 31 33 30 35 40 6f cha20-po 
> ly1305@o
>0120  70 65 6e 73 73 68 2e 63  6f 6d 2c 61 65 73 31 32 penssh.c 
> om,aes12
>0130  38 2d 63 74 72 2c 61 65  73 32 35 36 2d 63 74 72 8-ctr,ae 
> s256-ctr
>0140  00 00 00 17 68 6d 61 63  2d 73 68 61 31 2c 68 6d hmac 
> -sha1,hm
>0150  61 63 2d 73 68 61 32 2d  32 35 36 00 00 00 17 68 ac-sha2- 
> 256h
>0160  6d 61 63 2d 73 68 61 31  2c 68 6d 61 63 2d 73 68 mac-sha1 
> ,hmac-sh
>0170  61 32 2d 32 35 36 00 00  00 04 6e 6f 6e 65 00 00 a2-256.. 
> ..none..
>0180  00 04 6e 6f 6e 65 00 00  00 00 00 00 00 00 00 00 ..none.. 
> 
>0190  00 00 00 fd 9d 4e 7a a7  2d 49   .Nz. -I
> 0015  00 00 08 d4 07 14 71 12  38 a7 62 81 7d 79 63 ca ..q. 8.b.}yc.
> 0025  3c fb a3 f1 1e 8c 00 00  02 9c 63 75 72 76 65 32 <... ..curve2
> 0035  35 35 31 39 2d 73 68 61  32 35 36 2c 63 75 72 76 5519-sha 256,curv
> 0045  65 32 35 35 31 39 2d 73  68 61 32 35 36 40 6c 69 e25519-s ha256@li
> 0055  62 73 73 68 2e 6f 72 67  2c 64 69 66 66 69 65 2d bssh.org ,diffie-
> 0065  68 65 6c 6c 6d 61 6e 2d  67 72 6f 75 70 2d 65 78 hellman- group-ex
> 0075  63 68 61 6e 67 65 2d 73  68 61 32 35 36 2c 65 63 change-s ha256,ec
> 0085  64 68 2d 73 68 61 32 2d  6e 69 73 74 70 35 32 31 dh-sha2- nistp521
> 0095  2c 65 63 64 68 2d 73 68  61 32 2d 6e 69 73 74 70 ,ecdh-sh a2-nistp
> 00A5  33 38 34 2c 65 63 64 68  2d 73 68 61 32 2d 6e 69 384,ecdh -sha2-ni
> 00B5  73 74 70 32 35 36 2c 64  69 66 66 69 65 2d 68 65 stp256,d iffie-he
> 00C5  6c 6c 6d 61 6e 2d 67 72  6f 75 70 2d 65 78 63 68 llman-gr oup-exch
> 00D5  61 6e 67 65 2d 73 68 61  31 2c 64 69 66 66 69 65 ange-sha 1,diffie
> 00E5  2d 68 65 6c 6c 6d 61 6e  2d 67 72 6f 75 70 31 2d -hellman -group1-
> 00F5  73 68 61 31 2c 64 69 66  66 69 65 2d 68 65 6c 6c sha1,dif fie-hell
> 0105  6d 61 6e 2d 67 72 6f 75  70 31 34 2d 73 68 61 31 man-grou p14-sha1
> 0115  2c 64 69 66 66 69 65 2d  68 65 6c 6c 6d 61 6e 2d ,diffie- hellman-
> 0125  67 72 6f 75 70 31 34 2d  73 68 61 32 35 36 2c 64 group14- sha256,d
> 0135  69 66 66 69 65 2d 68 65  6c 6c 6d 61 6e 2d 67 72 iffie-he llman-gr
>

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

4 matches

Site Navigation

Mail list logo

Footer information