darcs repository web UI and hosting app. This is the main darcsden trunk, which also runs hub.darcs.net. (http://hub.darcs.net)

#163Connexion failure with recent openssh

I can't use ssh access on Ubuntu 16.04, with openssh 7.2p2. I see this:

darcs failed: Not a repository: fx@hub.darcs.net:fx/vc-darcs (The program "scp fx@hub.darcs.net:fx/vc-darcs//_darcs/inventory ./darcs1957747793424238335" failed with error: "Unable to negotiate with 173.255.219.222 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 ".)

See https://www.openssh.com/legacy.html

However, if I add the method for hub.darcs.net, an ssh connexion fails with this at the end of the output from -vv, which I assume needs debugging at that end:

Authenticated to hub.darcs.net ([173.255.219.222]:22). debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug1: pledge: network debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK Connection to hub.darcs.net closed by remote host.

  • Sorry, I hadn't spotted that this is a duplicate, and even in the FAQ, but then I get the disconnect error even with the ssh config change.

  • The newer, recommended kex works but hasn't been merged for the following reasons: http://hub.darcs.net/ganesh/ssh/issue/5#comment-20161123T170839 Perhaps it we could temporarily deploy http://hub.darcs.net/pointfree/ssh-curve25519-sha256 just to hub.darcs.net for the sake of ux and security.

  • @fx: Does the output change after the ~/.ssh/config update? Can you post that snippet of your ~/.ssh/config? Are you just doing darcs push fx@hub.darcs.net:fx/vc-darcs?

    This is what I have in my ~/.ssh/config for hub.darcs.net:

    Host hub.darcs.net
       ControlMaster no
       ForwardAgent no
       ForwardX11 no
       KexAlgorithms +diffie-hellman-group1-sha1

    This is what I get from ssh -vv pointfree@hub.darcs.net upon authentication:

    Authenticated to hub.darcs.net ([173.255.219.222]:22).    
    debug1: channel 0: new [client-session]                   
    debug2: channel 0: send open                              
    debug1: Entering interactive session.                     
    debug1: pledge: network                                   
    debug2: callback start                                    
    debug2: fd 3 setting TCP_NODELAY                          
    debug2: client_session2_setup: id 0                       
    debug2: channel 0: request pty-req confirm 1              
    debug2: channel 0: request shell confirm 1                
    debug2: callback done                                     
    debug2: channel 0: open confirm rwindow 2097152 rmax 32768
    debug2: channel 0: rcvd ext data 1018                     
    debug2: channel_input_status_confirm: type 100 id 0       
    PTY allocation request failed on channel 0                
    debug2: channel 0: rcvd ext data 52                       
    debug2: channel_input_status_confirm: type 100 id 0       
    shell request failed on channel 0                         
  • On my ubuntu 16.04 box with openssh 7.2p2, I have the same in ~/.ssh/config:

    Host hub.darcs.net                                                                                                                                                                
       ControlMaster no                                                                                                                                                               
       ForwardAgent no                                                                                                                                                                
       ForwardX11 no                                                                                                                                                                  
       KexAlgorithms +diffie-hellman-group1-sha1                                                                                                                                      

    and can connect normally:

    $ ssh hub.darcs.net -v                                                                                                                                          
    OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips  1 Mar 2016                                                                                                                  
    debug1: Reading configuration data /home/simon/.ssh/config                                                                                                                        
    debug1: /home/simon/.ssh/config line 5: Applying options for *                                                                                                                    
    debug1: /home/simon/.ssh/config line 16: Applying options for hub.darcs.net                                                                                                       
    debug1: Reading configuration data /etc/ssh/ssh_config                                                                                                                            
    debug1: /etc/ssh/ssh_config line 19: Applying options for *                                                                                                                       
    debug1: Connecting to hub.darcs.net [173.255.219.222] port 22.                                                                                                                    
    debug1: Connection established.                                                                                                                                                   
    ...
    debug1: Authenticating to hub.darcs.net:22 as 'simon'                                                                                                                             
    debug1: SSH2_MSG_KEXINIT sent                                                                                                                                                     
    debug1: SSH2_MSG_KEXINIT received                                                                                                                                                 
    debug1: kex: algorithm: diffie-hellman-group1-sha1                                                                                                                                
    debug1: kex: host key algorithm: ssh-rsa                                                                                                                                          
    debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none                                                                                                   
    debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none                                                                                                   
    debug1: sending SSH2_MSG_KEXDH_INIT                                                                                                                                               
    debug1: expecting SSH2_MSG_KEXDH_REPLY                                                                                                                                            
    debug1: Server host key: ssh-rsa SHA256:C7v5yTl4PpF1QaXYM+rgccUGkik3XE7/VLjqCjcGIl8                                                                                               
    debug1: Host 'hub.darcs.net' is known and matches the RSA host key.                                                                                                               
    debug1: Found key in /home/simon/.ssh/known_hosts:18                                                                                                                              
    debug1: rekey after 4294967296 blocks                                                                                                                                             
    debug1: SSH2_MSG_NEWKEYS sent                                                                                                                                                     
    debug1: expecting SSH2_MSG_NEWKEYS                                                                                                                                                
    debug1: rekey after 4294967296 blocks                                                                                                                                             
    debug1: SSH2_MSG_NEWKEYS received                                                                                                                                                 
    debug1: SSH2_MSG_SERVICE_ACCEPT received                                                                                                                                          
    debug1: Authentications that can continue: publickey                                                                                                                              
    debug1: Next authentication method: publickey                                                                                                                                     
    debug1: Offering RSA public key: /home/simon/.ssh/id_rsa                                                                                                                          
    debug1: Server accepts key: pkalg ssh-rsa blen 279                                                                                                                                
    debug1: Authentication succeeded (publickey).                                                                                                                                     
    Authenticated to hub.darcs.net ([173.255.219.222]:22).                                                                                                                            
    ...
    • status set to closed

    [I'm getting rather useless mail copies of this which have an empty text/plain part and unreadable text/html with no linebreaks.]

    Yes, I have the same in .ssh/config as in the FAQ (apart from adding User).

    Anyhow, I found what was going on to some extent. I looked again at the output and realized it said

    debug1: Offering ECDSA public key: /home/fx/.ssh/id_ecdsa debug1: Authentication succeeded (publickey). Authenticated to hub.darcs.net ([173.255.219.222]:22).

    but that wasn't one of my uploaded keys. I've just uploaded the rsa default one from this system, and it now connects OK. It seems a bit worrying that it reports successful authentication.

    • status set to open

    I didn't mean to close this, given the bogus authentication response.