Fwd: SSH handshake failed

[Golota S.V.]

i tried via public key but didn't help either

ssh-keygen -t rsa -b 4096 -m PEM

You can also use OpenSSL to create the private key:

openssl genrsa -out id_rsa 4096
Then to get the public key:

ssh-keygen -y -f id_rsa

a source:

https://www.reddit.com/r/selfhosted/comments/os4d52/guacamole_ssh_keys_help/


OS: Linux version 5.10.84-1-MANJARO

openssh-8.8p1-1





17.12.2021 21:24, Nick Couchman пишет:
What are the properties of the system you're connecting to - what type 
of system, version of OpenSSH, etc.? We've had reports recently of 
this when connecting to newer OpenSSH installs that limit host key and 
key exchange algorithms to ones that aren't currently implemented in 
Guacamole.



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: SSH handshake failed

[Nick Couchman]

On Fri, Dec 17, 2021 at 2:43 AM Golota S.V. 
wrote:

> Hello!! I have an error "SSH handshake failed" when connecting ssh
> client manjaro zsh normal bash clients connect without problems. tell me
> how to solve the problem.
>
>
What are the properties of the system you're connecting to - what type of
system, version of OpenSSH, etc.? We've had reports recently of this when
connecting to newer OpenSSH installs that limit host key and key exchange
algorithms to ones that aren't currently implemented in Guacamole.

-Nick

SSH handshake failed

[Golota S.V.]

Hello!! I have an error "SSH handshake failed" when connecting ssh 
client manjaro zsh normal bash clients connect without problems. tell me 
how to solve the problem.



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacd : SSH handshake failed

[xuo]

Hi,

I've searched a lot on Internet but without success. The 2 links provided
didn't help me.
I think the issue comes from my ssh config (not necessarily related to
libssh2) but I do not have found yet the reason.
1) I've already made it work. It means that I've broken 2 pcs. Possible but
surprising.
2) I can connect to the server. Why not on another pc if I use the same
guacd process to communicate ?

Regards.

Xuo.



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacd : SSH handshake failed

[Ivanmarcus]

Xuo,

I'm not able to replicate the problem here (I don't use those 
distributions) but looking at the error log from the pc, and with a 
little searching you might want to consider this information:


https://www.ezeelogin.com/kb/article/4/no-matching-host-key-type-found-their-offer-ssh-rsa-ssh-dss-preauth-249.html

https://askubuntu.com/questions/836048/ssh-returns-no-matching-host-key-type-found-their-offer-ssh-dss

While they're not necessarily for your distribution the detail seems 
relevant to me?


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacd : SSH handshake failed

[xuo]

Hi,

Thank you for your answer.
I already had a look at this post but I didn't help me.
What I really don't understand is the fact that connecting to the server
itself works, but if I want to connect to another client (through the guacd
process of the server) it fails.
The "worst" is that I already had made it work but after some issues, I had
to re-install (the server) from scratch and now I've broken something. The
main difference I see is that when it was working, all my pc were running
Mageia7 and not a mix of Mageia7 and 8. But I don't think this is the reason
for the issue.
I continue trying to debug.

Regards.

Xuo.



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacd : SSH handshake failed

[Ivanmarcus]

Xuo,

I'm not familiar with the distributions you mention, however there have 
been some issues with SSH in the past which have tended to revolve 
around the version of libssh2 in use, and/or the private key format.


It may be that this post could give you some ideas to consider?:

http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Issues-with-VNC-and-SSH-on-2-different-connections-td9315.html#a9489





-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

guacd : SSH handshake failed

[Xuo]

Hi,

I have 3 pc : pc1, pc2 and server.
server runs the guacd process (version 1.3.0). It runs under Mageia7.
pc1 runs under Mageia8.
pc2 runs under Mageia7.
server and pc1 have the lib64ssh2 packages installed (not pc2) :
lib64ssh2_1-1.8.2-1.1.mga7
lib64ssh2-devel-1.8.2-1.1.mga7

I can connect from pc1 or pc2 to server using either an ssh connection 
or a vnc one.
Now, if I want to connect from pc2 to pc1 using an ssh connection, I get 
the following error message :


On server :
Mar  7 17:54:17 server guacd[32680]: Creating new client for protocol "ssh"
Mar  7 17:54:17 server guacd[32680]: Connection ID is 
"$1654b89f-87be-41cb-93c8-00d124058a97"
Mar  7 17:54:17 server guacd[752]: User 
"@4b8812aa-d0d7-42fb-8370-ed2ca09ff21e" joined connection 
"$1654b89f-87be-41cb-93c8-00d124058a97" (1 users now present)
Mar  7 17:54:17 server server[32690]: 17:54:17.144 
[http-nio-8080-exec-8] INFO  o.a.g.tunnel.TunnelRequestService - User 
"xuo" connected to connection "3".

Mar  7 17:54:17 server guacd[752]: SSH handshake failed.
Mar  7 17:54:17 server guacd[752]: User 
"@4b8812aa-d0d7-42fb-8370-ed2ca09ff21e" disconnected (0 users remain)
Mar  7 17:54:17 server guacd[752]: Last user of connection 
"$1654b89f-87be-41cb-93c8-00d124058a97" disconnected
Mar  7 17:54:17 server guacd[32680]: Connection 
"$1654b89f-87be-41cb-93c8-00d124058a97" removed.


On pc1 :
Mar  7 17:54:31 pc1 sshd[773109]: Unable to negotiate with 192.168.0.14 
port 38812: no matching host key type found. Their offer: 
ssh-rsa,ssh-dss [preauth]


(192.168.0.14 = server).

I can connect in both ways (pc1 to server and server to pc1 with the ssh 
command line).


Could you help me to solve this issue ?

Regards.

Xuo.




smime.p7s
Description: Signature cryptographique S/MIME

Re: 9.14: SSH Handshake failed (extremeswitches)

[cchance]

Well no such lock, i decided to do a fork on the github guacamole-server and
use that instead, but to no avail, still can't connect to the devices with
the older version of openssh running. So the new libssh2 library from the
debian release didn't fix it



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: 9.14: SSH Handshake failed (extremeswitches)

[Nick Couchman]

On Fri, Jun 22, 2018 at 11:53 PM cchance  wrote:

> i switched to the guacamole/guacd docker container and still have the same
> issue, it seems the issue is DSA, some of my switches have a different
> version that supports RSA and that logs in right away but DSA doesn't seem
> to work when the switch has a DSA key on the server side, it doesn't appear
> to work and gives a handshake failed.
>
>
>
The Docker image currently published (0.9.14) still uses an older version
of libssh2 from CentOS7.  Version 1.0.0, when it is released, switches to
Debian stable as its base, and will have an updated libssh2.  You can build
the Docker image from the current git repo and get this Debian-based image,
but you'll have to build manually.

>From my earlier response I speculated about DSS vs. DSA - I'm not an expert
on SSH or Cryptography, but some further reading indicates that DSA is an
implementation of DSS, so the later versions of libssh2 *probably* will
support your Extreme switches.  However, again, you need to make sure
you're actually using that later version, and the 0.9.14 Docker image
available in Docker hub will not have that.

-Nick

Re: 9.14: SSH Handshake failed (extremeswitches)

[cchance]

i switched to the guacamole/guacd docker container and still have the same
issue, it seems the issue is DSA, some of my switches have a different
version that supports RSA and that logs in right away but DSA doesn't seem
to work when the switch has a DSA key on the server side, it doesn't appear
to work and gives a handshake failed.



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: 9.14: SSH Handshake failed (extremeswitches)

[Nick Couchman]

On Fri, Jun 15, 2018 at 12:49 PM cchance  wrote:

> docker image
> (https://github.com/oznu/docker-guacamole/blob/master/Dockerfile) so
> appears
> to be libssh2-1-dev
>
>
Two things:
1) That doesn't tell me the version of the library.
2) That is not the official Guacamole docker image, nor a fork of that
image.  It looks like it is based on the official tomcat Docker image,
which also appears to be Debian-based, but it's hard to know what versions
of packages are being loaded there.

Also, while libssh2 appears to support diffie-hellman-group1-sha1, it does
appear to support ssh-dsa host keys - the web site lists ssh-rsa and
ssh-dss.

-Nick

Re: 9.14: SSH Handshake failed (extremeswitches)

[cchance]

docker image
(https://github.com/oznu/docker-guacamole/blob/master/Dockerfile) so appears
to be libssh2-1-dev 





--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: 9.14: SSH Handshake failed (extremeswitches)

[Nick Couchman]

On Fri, Jun 15, 2018 at 11:48 AM cchance  wrote:

> To log in to these switches normally we have to do +ssh-dsa and
> +diffie-hellman-group-sha1 in my ssh config for a pc to be able to cleanly
> ssh to one of these switches so not sure if that is whats causing issues
> when it comes time to connect with Guacamole...
>
> But every time I try to connect I get an SSH Handshake failed after
> entering
> a password, same when using a private key... Always just SSH Handshake
> failed...
>
> Any idea what I can do to fix the problem?
>
>
What type of system are you running guacd on?  What version of libssh2 is
installed?

-Nick

9.14: SSH Handshake failed (extremeswitches)

[cchance]

To log in to these switches normally we have to do +ssh-dsa and
+diffie-hellman-group-sha1 in my ssh config for a pc to be able to cleanly
ssh to one of these switches so not sure if that is whats causing issues
when it comes time to connect with Guacamole...

But every time I try to connect I get an SSH Handshake failed after entering
a password, same when using a private key... Always just SSH Handshake
failed...

Any idea what I can do to fix the problem?

guacd[902]: DEBUG:  Parameter "font-name" omitted. Using default value of
"monospace".
guacd[902]: DEBUG:  Parameter "font-size" omitted. Using default value of 
12.
guacd[902]: DEBUG:  Parameter "color-scheme" omitted. Using default value of
"".
guacd[902]: DEBUG:  Parameter "enable-sftp" omitted. Using default value of
0.
guacd[902]: DEBUG:  Parameter "sftp-root-directory" omitted. Using default
value of "/".
guacd[902]: DEBUG:  Parameter "port" omitted. Using default value of "22".
guacd[902]: DEBUG:  Parameter "read-only" omitted. Using default value of 0.
guacd[902]: DEBUG:  Parameter "typescript-name" omitted. Using default value
of "typescript".
guacd[902]: DEBUG:  Parameter "create-typescript-path" omitted. Using 
default
value of 0.
guacd[902]: DEBUG:  Parameter "recording-name" omitted. Using default value
of "recording".
guacd[902]: DEBUG:  Parameter "create-recording-path" omitted. Using default
value of 0.
guacd[902]: DEBUG:  Parameter "server-alive-interval" omitted. Using default
value of 0.
guacd[902]: INFO:   User "@5d2e6ec5-c5d6-42bb-a260-7f3ffc837e5e" joined
connection "$35b81227-7e70-4672-bdf1-538af83eed45" (1 users now present)
guacd[902]: DEBUG:  Attempting private key import (WITHOUT passphrase)
guacd[902]: INFO:   Auth key successfully imported.
guacd[902]: DEBUG:  Successfully connected to host 192.168.0.1, port 22
guacd[902]: ERROR:  SSH handshake failed.




--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SSH handshake failed: only RSA keys possible?

[Nick Couchman]

On Sat, Dec 23, 2017 at 10:41 PM, NTMMFTS  wrote:

> It appears that libssh2 includes the aes256-cbc key exchange method
> supported
> by pfSense, so I modded the ssh.c code and let it compile during
> installation using hanaciamiento's guacamole install script
> (https://sourceforge.net/projects/guacamoleinstallscript/), but guacamole
> won't load at all afterwards.
>
> Here's the code and where I inserted it in ssh.c in the
> guac_common_ssh_create_session function:
>
> /* Open SSH session */
> // existing code
>
> /* added preferred method for key exchange method supported by
> pfSense */
> int returnval = libssh2_session_method_pref(session,
> LIBSSH2_METHOD_CRYPT_CS, "aes256-cbc");
> if (returnval != 0) {
> guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
> "Setting session preferred key exchange method to
> AES256-CBC
> failed.");
> free(common_session);
> close(fd);
> return NULL;
> }
>
> /* Perform handshake */
> // existing code
>

First, I don't think this should be necessary to get it working if libssh2
supports that crypt method.  I believe it will use any supported method
without having to set it as a preferred method, no?  That said, setting it
as preferred should not impede the connection, either, so this should be
fine.


>
> Anyone want to comment on this approach or try to get it working?
>

With guacd in debug mode (guacd -L debug), what messages do you see during
the SSH connection?  Also, when you say it "won't load at all with it
afterwards," what does this mean?  It segfaults?  Or guacd runs but the
connection doesn't start?  Or sometihng else?

-Nick

Re: SSH handshake failed: only RSA keys possible?

[NTMMFTS]

It appears that libssh2 includes the aes256-cbc key exchange method supported
by pfSense, so I modded the ssh.c code and let it compile during
installation using hanaciamiento's guacamole install script
(https://sourceforge.net/projects/guacamoleinstallscript/), but guacamole
won't load at all afterwards.

Here's the code and where I inserted it in ssh.c in the
guac_common_ssh_create_session function:

/* Open SSH session */
// existing code

/* added preferred method for key exchange method supported by pfSense 
*/
int returnval = libssh2_session_method_pref(session,
LIBSSH2_METHOD_CRYPT_CS, "aes256-cbc");
if (returnval != 0) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
"Setting session preferred key exchange method to AES256-CBC
failed.");
free(common_session);
close(fd);
return NULL;
}

/* Perform handshake */
// existing code

Anyone want to comment on this approach or try to get it working?

Thanks!

Jay L 



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SSH handshake failed: only RSA keys possible?

[flittermice]

Hello Nick,

thanks for the clarification! So libssl2 ist to blame - seems to be a little
antiquated...

Thanks for the proposal to add some documentation. 
I would suggest the description of the parameter "private-key":
- a reference to libssl2
- Maybe you could also write that the private key has to be pasted as text.
Many people believe that a filename has to be given.

TIA,
Flittermice



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

SSH handshake failed: only RSA keys possible?

[flittermice]

I'm using version 0.9.13. My goal was to make a SSH connection to a host
using my existing ed25519 keys. But I permanently got "SSH handshake failed"
in guacd.

So I have spent many hours of searching for the reason. Finally it turned
out that it is only possible to use RSA keys:
1. ECDSA and Ed25519 private keys will not work because Guacamole won't be
able to recognize the key format.
2. I configured my server to send an Ed25519 host key. This was the reason
for the "SSH handshake failed" errors.

Switching back to RSA keys solved the problem for me.

Should this behaviour be documented? Or should the new key types be
implemented? 
Or am I missing something? 

Thanks!
Flittermice



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/