Forcing Key Exchange Methods to diffie-hellman-group14-sha1 with an additional algorithm (any of the supported) exit with a ssh_options_set error (invalid value)
Closed, ResolvedPublic

Description

libssh 0.7.5-2 on Arch Linux.

When I force Kex to diffie-hellman-group14-sha1 plus any other algorithm, ssh_options_set report a "invalid value" error.

Specifying only diffie-hellman-group14-sha1 works without any issues.

This happens in the Remmina code I've implemented, as I didn't try to use the available examples, I cannot exclude it's my fault...

Let me know if you need additional infos.

antenore created this task.Dec 7 2017, 10:45 PM

Nobody? Please

asn added a subscriber: asn.Dec 19 2017, 4:04 PM

How do you set it exactly? Maybe point to the code where you implemented it.

Thanks Andreas

It is set here:

https://github.com/FreeRDP/Remmina/blob/next/remmina/src/remmina_ssh.c#L498

kex_algorithms is a gchar, and it's defined here:

https://github.com/FreeRDP/Remmina/blob/next/remmina/src/remmina_ssh.h#L72

The user specify a comma separated list of kex using a Gtk text entry (not useful pointing out the implementation), it's than saved in a configuration file, and the value is extracted in this way:

ssh->kex_algorithms = g_strdup(remmina_file_get_string(remminafile, "ssh_kex_algorithms"));

You can see it here:

https://github.com/FreeRDP/Remmina/blob/next/remmina/src/remmina_ssh.c#L498

I've tested several different combinations of the algorithms list and as soon as I've diffie-hellman-group14-sha1 plus any other algorithm it fails. It's just enough to remove it that everything works properly.

asn added a comment.Dec 21 2017, 4:47 PM

I think that has just been fixed with the patches I committed today, see:

78a3ab2eaa05a5614f9321bfc54ab4a7211ea315

Which is the test which verifies this.

Ah! Yes, it makes sense!!! Good sight!

I'd try to compile it but I don't have yet a libssl development environment, I don't know either how the libssl release cycle works and how the releases are built for each distributions, is it this something that soon or later will reach most of the distro/versions ecosystems?

I'll see how I can workaround this for Remmina, than I'll try to find sometime to compile libssh

Thanks btw for your time!!!

asn added a comment.Dec 21 2017, 8:05 PM

The problem is time at the moment. There are two features missing for a release right now. One is the mbedtls support and the other is a new known_hosts API I'm working on. I need to find time to finish this. Hopefully in the next days. Normally I try to do a release around FOSDEM.

asn closed this task as Resolved.Dec 21 2017, 8:06 PM
asn claimed this task.

Closing. Test to verify this is working correctly:

78a3ab2eaa05a5614f9321bfc54ab4a7211ea315