Re: Re: Telnet vs SSH
By: Pedro Silva to Hemo on Sun Sep 25 2016 09:33 am
Hemo wrote to Pedro Silva <=-
@TZ: c168
Re: Telnet vs SSH
By: Pedro Silva to All on
Sat Sep 24 2016 10:18 pm
Hello All,
I tried using a standard ssh client (openssh) and was unable to connect to any Synchronet BBS through SSH. The problem was always the same: Handshake failed. From what I could see, today's Linux Distributions have blacklisted some types of cryptos due to the fact that they are no longer secure.
strange. I've had no issues connecting to various systems using ssh from PuTTY or openssh from linux command line.
Are you forcing your connection to use only a single protocol ?
No, let me show it:
$ ssh guest@vert.synchro.net
Received disconnect from 71.95.196.34 port 22:2: Handshake failed Disconnected from 71.95.196.34 port 22
$ ssh -vv guest@vert.synchro.net
OpenSSH_7.3p1 Debian-1, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "vert.synchro.net" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to vert.synchro.net [71.95.196.34] port 22.
debug1: Connection established.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3p1 Debian-1
debug1: Remote protocol version 2.0, remote software version cryptlib debug1: no match: cryptlib
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to vert.synchro.net:22 as 'guest'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh -sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffi e-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group- exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext- info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa- sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nis tp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-s ha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,ae s256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc ,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,ae s256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc ,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha 2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.co m,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac- sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha 2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.co m,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac- sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman- group-exchange-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: 3des-cbc,aes128-cbc,blowfish-cbc
debug2: ciphers stoc: 3des-cbc,aes128-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha2-256,hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha2-256,hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
Received disconnect from 71.95.196.34 port 22:2: Handshake failed Disconnected from 71.95.196.34 port 22
If I explicit use KEX algorithm diffie-hellman-group1-sha1, I can connect:
$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 guest@vert.synchro.net
The authenticity of host 'vert.synchro.net (71.95.196.34)' can't be established.
RSA key fingerprint is SHA256:ykpQTWSMSyqkLXyWlNC7zfWvnxtt0wGCGk0ZLyWALog. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vert.synchro.net,71.95.196.34' (RSA) to the list of known hosts.
guest@vert.synchro.net's password:
Synchronet BBS for Win32 Version 3.17
Connection from: 77.54.101.23
Resolving hostname...
<snip>
From what I understand, by default, Synchronet uses a deprecated SSH algorithm, which openssh can only use if forced.
From the OpenSSH legacy page (http://www.openssh.com/legacy.html):
"OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, but since some of the older algorithms have been found to be weak, not all of them are enabled by default."
Pedro,
Just wanted to let you know that I took much of the detail you provided an added a new FAQ to the wiki:
http://wiki.synchro.net/faq:tcpip#ssh_kex_algo
Thanks!
digital man
Synchronet "Real Fact" #90:
Synchronet/DSZ "hack" of '93:
http://wiki.synchro.net/history:hack93
Norco, CA WX: 59.8øF, 90.0% humidity, 4 mph ESE wind, 0.00 inches rain/24hrs
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ
telnet://vert.synchro.net