Archived Forum Post

Index of archived forum posts

Question:

Communication with old ssh servers.

Jun 16 '16 at 11:55

Is it wise to communicate with servers running older versions of ssh? I mean like pre 2006?

What version does chilkat start with?

We have a client running 3.9, and chilkat will not negotiate. Which is probably good. Filezilla works.

clientIdentifier: SSH-2.0-PuTTY_Release_0.63

Sending client identifier...

Done sending client identifier.

Reading server version...

initialDataFromSshServer: SSH-2.0-OpenSSH_3.9p1

Thanks.


Answer

OpenSSH is just a particular implementation of the SSH protocol. The SSH protocol is open-ended in that it allows for all sorts of different algorithms (encryption, mac, host key, key exchange, etc.) to be supported or not supported. New algorithms have been standardized over the years.

To see what happened, user verbose logging and post the LastErrorText for the Connect method call.


Answer

ChilkatLog:

Connect_SFtp(125ms):

DllDate: Dec 29 2015

ChilkatVersion: 9.5.0.55

UnlockPrefix:*******
Username: W12-FTPPEND01:svc_ftp

Architecture: Little Endian; 32-bit

Language: Windows Perl

VerboseLogging: 1

SftpVersion: 0

connectInner(125ms):

  hostname: ftp.glasslewis.com

  port: 22

  sshConnect(31ms):

    connectSocket(31ms):

      domainOrIpAddress: ftp.glasslewis.com

      port: 22

      connectTimeoutMs: 30000

      connect_ipv6_or_ipv4(31ms):

        Multi-threaded domain to IP address resolution

        connecting to IPV4 address...

        ipAddress: 72.3.217.177

        createSocket:

          Setting SO_SNDBUF size

          sendBufSize: 262144

          Setting SO_RCVBUF size

          recvBufSize: 4194304

        --createSocket

        connect(31ms):

          Waiting for the connect to complete...

          myIP: 10.45.6.11

          myPort: 51078

          socket connect successful.

        --connect

      --connect_ipv6_or_ipv4

    --connectSocket

    Established TCP/IP connection with SSH server

    Turning on TCP_NODELAY.

  --sshConnect

  sshSetupConnection(94ms):

    clientIdentifier: SSH-2.0-PuTTY_Release_0.63

    Sending client identifier...

    Done sending client identifier.

    Reading server version...

    initialDataFromSshServer: SSH-2.0-OpenSSH_3.9p1

    serverVersion: SSH-2.0-OpenSSH_3.9p1

    build_kexInit:

      preferRsaHostKeyAlgorithm: 1

    --build_kexInit

    KeyExchangeAlgs:

      algorithm: diffie-hellman-group-exchange-sha1

      algorithm: diffie-hellman-group14-sha1

      algorithm: diffie-hellman-group1-sha1

    --KeyExchangeAlgs

    HostKeyAlgs:

      algorithm: ssh-rsa

      algorithm: ssh-dss

    --HostKeyAlgs

    EncCS:

      algorithm: arcfour

      algorithm: aes128-ctr

      algorithm: aes192-ctr

      algorithm: aes256-ctr

    --EncCS

    EncSC:

      algorithm: arcfour

      algorithm: aes128-ctr

      algorithm: aes192-ctr

      algorithm: aes256-ctr

    --EncSC

    MacCS:

      algorithm: hmac-sha1

      algorithm: hmac-ripemd160

    --MacCS

    MacSC:

      algorithm: hmac-sha1

      algorithm: hmac-ripemd160

    --MacSC

    CompCS:

      algorithm: none

      algorithm: zlib

    --CompCS

    CompSC:

      algorithm: none

      algorithm: zlib

    --CompSC

    Unable to agree upon server-to-client encryption algorithm.

    Unable to agree upon client-to-server encryption algorithm.

    ChosenIncomingMac: hmac-sha1

    ChosenOutgoingMac: hmac-sha1

    ChosenIncomingCompression: zlib

    ChosenOutgoingCompression: zlib

    ChosenKexAlgorithm: diffie-hellman-group-exchange-sha1

    choose_hostkey_algorithm:

      preferRsaHostKeyAlgorithm: 1

    --choose_hostkey_algorithm

    ChosenHostKeyAlgorithm: ssh-rsa

    numBits: 128

    pbits: 1024

    Using GEX Group.

    Sending KEX_DH_GEX_REQUEST...

    pbits: 1024

    numBytesRequested: 8

    Connection closed by peer.

    passiveClose(16ms):

      Passive socket closing complete.

    --passiveClose

    sshRawPacket: Socket connection closed.

    sshDhGex: Socket connection closed.

    Failed to read KEX_DH_GEX_REQUEST response

  --sshSetupConnection

--connectInner

Failed.

--Connect_SFtp

--ChilkatLog


Answer

I found comments in Chilkat's internal source indicating that CTR mode was not implemented correctly in some older versions of OpenSSH. Chilkat automatically turned off the ability to select these algorithms when the server version string indicates an older version of OpenSSH.

I made a change so that instead of turning CTR mode off, it puts those algorithms at lowest priority, allowing others to be chosen if any exist. (arcfour is off by default because it is insecure).

Please tell me your version of Perl (such as 5.12, 5.16, etc.) and I'll provide a new build.


Answer

Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:UsersLE03964a>perl --version

This is perl 5, version 16, subversion 3 (v5.16.3) built for MSWin32-x86-multi-t hread (with 1 registered patch, see perl -V for more detail)

Copyright 1987-2012, Larry Wall

Binary build 1604 [298023] provided by ActiveState http://www.ActiveState.com Built Apr 14 2014 14:32:20

Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on this system using "man perl" or "perldoc perl". If you have access to the Internet, point your browser at http://www.perl.org/, the Perl Home Page.


Answer

Here's a build with the change: http://www.chilkatsoft.com/download/preRelease/chilkat-9.5.0-perl-5.16-x86-win.zip


Answer

Thank you so much.