Join Log in
Score:0
avatar Server

Why is this SSH handshake failing?

sa flag
conorgriffin

The server logs this

2021-12-07 21:57:29.889029102  Server listening on 0.0.0.0 port 2222.
2021-12-07 21:57:29.889033114  Server listening on :: port 2222.
2021-12-07 21:57:30.635958078  Connection from 172.17.0.1 port 56406 on 172.17.0.3 port 2222 rdomain ""
2021-12-07 21:57:30.636572922  kex_exchange_identification: Connection closed by remote host
2021-12-07 21:57:30.637124145  Connection closed by 172.17.0.1 port 56406
2021-12-07 21:57:30.653516584  Connection from 172.17.0.1 port 56408 on 172.17.0.3 port 2222 rdomain ""
2021-12-07 21:57:30.656432406  Unable to negotiate with 172.17.0.1 port 56408: no matching host key type found. Their offer: ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 [preauth]

This shows the client offers ecdsa-sha2-nistp384

The server configuration is as follows

> cat /etc/ssh/sshd_config | grep -v "#" | grep -v -e '^$'
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication yes
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
PidFile /config/sshd.pid
Subsystem   sftp    /usr/lib/ssh/sftp-server -u 022
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
HostKeyAlgorithms ecdsa-sha2-nistp384
KexAlgorithms diffie-hellman-group-exchange-sha1
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
LogLevel VERBOSE

This shows that HostKeyAlgorithms ecdsa-sha2-nistp384 is enabled on the server. Why can't they perform the handshake?

277
0 + 0
ssh
vn flag
Mark Wagner
On the server does `/etc/ssh/ssh_host_ecdsa_key` exist? Is it 384 bits (`ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key`)? Is it not group/world-accessible (`ls -l /etc/ssh/ssh_host_ecdsa_key`)
2
Reply
Brandon Xavier avatar
us flag
Brandon Xavier
You might also want to try adding some verbosity on the client side to see the actual details of what's going on. For example: `sftp -vvv your-regular-options . . .`. The more 'v's you add the more detail you get - although in my experience more than 2 or 3 is overkill.
0
Reply
sa flag
conorgriffin
@MarkWagner you're right, the keys is only 256 bits. So if I want this server to support 256/384/521 bit keys do I need three separate keys to exist in the `/etc/ssh` directory? Is there a naming convention I need to follow?
0
Reply
vn flag
Mark Wagner
`/etc/ssh/ssh_host_ecdsa_key` `/etc/ssh/ssh_host_ed25519_key` and `/etc/ssh/ssh_host_rsa_key` are the default names but you can call keys whatever you want and add them to the `sshd_config` file using `HostKey blah`.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.