Page MenuHomePhabricator

Putty cannot negotiate when the SSH Server adds an ED25519 key
Closed, ResolvedPublic

Description

I used libssh to develop a Git SSH server that provides Git Over SSH support for users. Some people use Git clients to use Putty to access remote SSH servers. When I upgraded our server-dependent libssh to 0.9.1, these users couldn't connect to our SSH server no matter what form of ssh public key they used.

Our server will load the following SSH keys in order:

"HostKeys": [
  "/etc/ssh/ssh_host_rsa_key",
  "/etc/ssh/ssh_host_dsa_key",
  "/etc/ssh/ssh_host_ecdsa_key",
  "/etc/ssh/ssh_host_ed25519_key"
]

Usually during the KEX phase, the SSH Server will report an error with the error:

ssh_handle_key_exchange error: Could not sign the session id

By modifying libssh to track errors, the final output is:

digital envelope routines:update:only oneshot supported

This error is returned by EVP_DigestSignUpdate and the corresponding code is: https://gitlab.com/libssh/libssh-mirror/blob/master/src/pki_crypto.c#L2183

Putty result:

Looking up host "localhost" for SSH connection
Connecting to 127.0.0.1 port 22
We claim version: SSH-2.0-PuTTY_Release_0.73
Remote version: SSH-2.0-Basalt-1.3.0
Using SSH protocol version 2
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Remote side sent disconnect message type 11 (by application): "Bye Bye"
FATAL ERROR: Remote side sent disconnect message

When I delete the ssh_host_ed25519_key in the configuration file, putty can correctly establish a connection with the SSH server.

Libssh 0.8.7/0.9.0 has no such errors.

Regardless of whether the SSH server uses the ED25519 host key, OpenSSH can be accessed normally. Once the SSH server uses the ED25519 host key, Putty cannot negotiate with the server regardless of which type of key is used. Delete ed25519 and everything works fine.

Basalt sshd 1.3.0 (Branch: master) (**commit ish**) (Nov  4 2019)
ResolveDNS: Disable
Libcurl:    libcurl/7.66.0 OpenSSL/1.1.1d zlib/1.2.11 nghttp2/1.39.2
Libssh:     0.9.1/openssl/zlib. Link Mode: dynamic
Compiler:   GNU 9.2.1 C++17 Mode

Event Timeline

fcharlie renamed this task from Putty cannot negotiate when the SSH Server adds an ECDSA key to Putty cannot negotiate when the SSH Server adds an ED25519 key.Mon, Nov 4, 3:30 AM
fcharlie updated the task description. (Show Details)
fcharlie updated the task description. (Show Details)Mon, Nov 4, 3:33 AM
fcharlie updated the task description. (Show Details)Mon, Nov 4, 3:38 AM
fcharlie updated the task description. (Show Details)Mon, Nov 4, 3:50 AM

@ansasaki This looks directly related to the ed25519 support you modified to use OpenSSL. Can you check what might have gone wrong?

The problem is that the used OpenSSL has the EVP_PKEY_ED25519 type in openssl/evp.h, but does not support the single shot EVP_DigestSign(). When I wrote the detection to switch to the OpenSSL implementation, I thought this combination would be impossible since ed25519 can only be used in single shot operations. The solution is to require both HAVE_OPENSSL_ED25519 and HAVE_OPENSSL_EVP_DIGESTSIGN to switch to OpenSSL implementation.

Hello @fcharlie,

Could you try to apply the patch from this pull request and check if it fixes the issue for you?

https://gitlab.com/libssh/libssh-mirror/merge_requests/70

I applied the changes to ConfigureChecks.cmake to libssh 0.9.1. After testing, putty can connect to my SSH server. Thank you for fixing this problem.

Jakuje closed this task as Resolved.Mon, Nov 11, 3:08 PM

This should be addressed in the latest release 0.9.2. Not sure why it was not auto-closed with the commit referenced above.