9.14: SSH Handshake failed (extremeswitches)

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

9.14: SSH Handshake failed (extremeswitches)

cchance
To log in to these switches normally we have to do +ssh-dsa and
+diffie-hellman-group-sha1 in my ssh config for a pc to be able to cleanly
ssh to one of these switches so not sure if that is whats causing issues
when it comes time to connect with Guacamole...

But every time I try to connect I get an SSH Handshake failed after entering
a password, same when using a private key... Always just SSH Handshake
failed...

Any idea what I can do to fix the problem?

guacd[902]: DEBUG: Parameter "font-name" omitted. Using default value of
"monospace".
guacd[902]: DEBUG: Parameter "font-size" omitted. Using default value of 12.
guacd[902]: DEBUG: Parameter "color-scheme" omitted. Using default value of
"".
guacd[902]: DEBUG: Parameter "enable-sftp" omitted. Using default value of
0.
guacd[902]: DEBUG: Parameter "sftp-root-directory" omitted. Using default
value of "/".
guacd[902]: DEBUG: Parameter "port" omitted. Using default value of "22".
guacd[902]: DEBUG: Parameter "read-only" omitted. Using default value of 0.
guacd[902]: DEBUG: Parameter "typescript-name" omitted. Using default value
of "typescript".
guacd[902]: DEBUG: Parameter "create-typescript-path" omitted. Using default
value of 0.
guacd[902]: DEBUG: Parameter "recording-name" omitted. Using default value
of "recording".
guacd[902]: DEBUG: Parameter "create-recording-path" omitted. Using default
value of 0.
guacd[902]: DEBUG: Parameter "server-alive-interval" omitted. Using default
value of 0.
guacd[902]: INFO: User "@5d2e6ec5-c5d6-42bb-a260-7f3ffc837e5e" joined
connection "$35b81227-7e70-4672-bdf1-538af83eed45" (1 users now present)
guacd[902]: DEBUG: Attempting private key import (WITHOUT passphrase)
guacd[902]: INFO: Auth key successfully imported.
guacd[902]: DEBUG: Successfully connected to host 192.168.0.1, port 22
guacd[902]: ERROR: SSH handshake failed.




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: 9.14: SSH Handshake failed (extremeswitches)

vnick
On Fri, Jun 15, 2018 at 11:48 AM cchance <[hidden email]> wrote:
To log in to these switches normally we have to do +ssh-dsa and
+diffie-hellman-group-sha1 in my ssh config for a pc to be able to cleanly
ssh to one of these switches so not sure if that is whats causing issues
when it comes time to connect with Guacamole...

But every time I try to connect I get an SSH Handshake failed after entering
a password, same when using a private key... Always just SSH Handshake
failed...

Any idea what I can do to fix the problem?


What type of system are you running guacd on?  What version of libssh2 is installed?

-Nick 
Reply | Threaded
Open this post in threaded view
|

Re: 9.14: SSH Handshake failed (extremeswitches)

cchance
Reply | Threaded
Open this post in threaded view
|

Re: 9.14: SSH Handshake failed (extremeswitches)

vnick
On Fri, Jun 15, 2018 at 12:49 PM cchance <[hidden email]> wrote:
docker image
(https://github.com/oznu/docker-guacamole/blob/master/Dockerfile) so appears
to be libssh2-1-dev


Two things:
1) That doesn't tell me the version of the library.
2) That is not the official Guacamole docker image, nor a fork of that image.  It looks like it is based on the official tomcat Docker image, which also appears to be Debian-based, but it's hard to know what versions of packages are being loaded there.

Also, while libssh2 appears to support diffie-hellman-group1-sha1, it does appear to support ssh-dsa host keys - the web site lists ssh-rsa and ssh-dss.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: 9.14: SSH Handshake failed (extremeswitches)

cchance
In reply to this post by vnick
i switched to the guacamole/guacd docker container and still have the same
issue, it seems the issue is DSA, some of my switches have a different
version that supports RSA and that logs in right away but DSA doesn't seem
to work when the switch has a DSA key on the server side, it doesn't appear
to work and gives a handshake failed.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: 9.14: SSH Handshake failed (extremeswitches)

vnick
On Fri, Jun 22, 2018 at 11:53 PM cchance <[hidden email]> wrote:
i switched to the guacamole/guacd docker container and still have the same
issue, it seems the issue is DSA, some of my switches have a different
version that supports RSA and that logs in right away but DSA doesn't seem
to work when the switch has a DSA key on the server side, it doesn't appear
to work and gives a handshake failed.



The Docker image currently published (0.9.14) still uses an older version of libssh2 from CentOS7.  Version 1.0.0, when it is released, switches to Debian stable as its base, and will have an updated libssh2.  You can build the Docker image from the current git repo and get this Debian-based image, but you'll have to build manually.

From my earlier response I speculated about DSS vs. DSA - I'm not an expert on SSH or Cryptography, but some further reading indicates that DSA is an implementation of DSS, so the later versions of libssh2 *probably* will support your Extreme switches.  However, again, you need to make sure you're actually using that later version, and the 0.9.14 Docker image available in Docker hub will not have that.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: 9.14: SSH Handshake failed (extremeswitches)

cchance
Well no such lock, i decided to do a fork on the github guacamole-server and
use that instead, but to no avail, still can't connect to the devices with
the older version of openssh running. So the new libssh2 library from the
debian release didn't fix it



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: 9.14: SSH Handshake failed (extremeswitches)

vnick


On Thu, Jul 5, 2018 at 15:30 cchance <[hidden email]> wrote:
Well no such lock, i decided to do a fork on the github guacamole-server and
use that instead, but to no avail, still can't connect to the devices with
the older version of openssh running. So the new libssh2 library from the
debian release didn't fix it


What version of libssh2??

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: 9.14: SSH Handshake failed (extremeswitches)

vnick
On Thu, Jul 5, 2018 at 3:34 PM Nick Couchman <[hidden email]> wrote:


On Thu, Jul 5, 2018 at 15:30 cchance <[hidden email]> wrote:
Well no such lock, i decided to do a fork on the github guacamole-server and
use that instead, but to no avail, still can't connect to the devices with
the older version of openssh running. So the new libssh2 library from the
debian release didn't fix it


What version of libssh2??

-Nick

FWIW - I was able to find a device that requires the same -oKexAlgorithms=+diffie-hellman-group1-sha1 key option that the Extreme switches you're managing require, and I'm able to connect without any issue.  I'm using the latest Guacamole Client/Server code from github, and have it installed on CentOS 7, and the libssh2 version is 1.4.3 (included with CentOS).  The only difference is that the devices I'm connecting to do not require the ssh-dsa option that you mentioned.

-Nick