Opened 4 years ago

Closed 3 years ago

#270 closed defect (fixed)

Winswitch unable to connect over ssh from MS Windows to server running openssh 6.7

Reported by: dfeldstern Owned by: dfeldstern
Priority: critical Milestone: 0.12
Component: Global Keywords:
Cc:

Description

After upgrading a linux server to openssh 6.7, I'm no longer able to connect to it from MS Windows (winswitch 0.12.20). In the server's log I see "fatal: Unable to negotiate a key exchange method [preauth]". I have no trouble connecting to the server via putty.

It seems that this is a twisted-conch issue: http://twistedmatrix.com/trac/ticket/7672

However, I assume that even once that's fixed, some work will be required on winswitch's part, too, even if only to create a new build; so opening a ticker here, too.

Change History (14)

comment:1 Changed 4 years ago by Antoine gmail

Milestone: 0.12
Owner: set to Antoine gmail
Priority: majorcritical
Status: newaccepted

Thanks for the pointer, it does look like this will require a new build - which could be tricky because last time I looked at it, there were backwards incompatible changes in Twisted 10 or 11..

comment:2 Changed 4 years ago by dfeldstern

Thanks for the quick response! Just to clarify -- AFAICT this hasn't been fixed yet in twisted itself...

I know that the following idea probably makes absolutely no sense, but just throwing it out there because of my interest in #190 (see comment 5 there) : given the backwards-incompatibilities in twisted, would it make any sense to switch to paramiko for ssh?

comment:3 Changed 4 years ago by Antoine gmail

Another problem with moving to paramiko is that the current code uses the twisted deferred, and I'm not sure how to convert that to paramiko without using threads.. and threads are hard to get right.
Also, I don't have time. Patches are most welcome though!

comment:4 Changed 4 years ago by infernix

This affects Debian Jessie because they carry OpenSSH 6.7 by default.

I have found no other way to fix this other than forward-porting OpenSSH 6.6 from Wheezy.

comment:5 Changed 4 years ago by Antoine Martin

Still no resolution... twisted conch is not used much then.
(and I still don't have time to try to move back to paramiko or something else)
PITA.

comment:6 Changed 4 years ago by infernix

Adding this to sshd_config worked for me on Debian 8:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

comment:7 Changed 3 years ago by Nathan Rennie-Waldock

I got this on Ubuntu 15.04 (OpenSSH 6.7). I had to add diffie-hellman-group1-sha1 to KexAlgorithms? and hmac-sha1 to MACs.

However, we do need a new Windows build with the latest Twisted as OpenSSH 6.9 has dropped support for the old key exchange message so Windows clients can no longer connect.

Twisted finally supports the new message (RFC4419, March 2006) since v15.5.0 (November 2015): https://twistedmatrix.com/trac/ticket/8100

comment:8 Changed 3 years ago by Antoine gmail

OK, I'll make a new build in the coming weeks.

Similar to #285: Ubuntu Trusty uses an old version of Twisted conch, which has the same issue. (nothing we can do to fix that one)

Last edited 3 years ago by Antoine gmail (previous) (diff)

comment:9 Changed 3 years ago by Antoine gmail

I've just done this for xpra: we overwrite the newer Plink.exe at install time if we detect Windows XP: http://xpra.org/trac/ticket/1095.
(the default is the new Plink, which is win7 onwards only)

Last edited 3 years ago by Antoine gmail (previous) (diff)

comment:11 Changed 3 years ago by Nathan Rennie-Waldock

Bump
I spent a few days trying to build it myself and failed. Issues with gstreamer not working with python 2.7 and left with a winswitch build that doesn't run (quits immediately).

comment:12 Changed 3 years ago by Antoine gmail

ACK, sorry about the delay.

comment:13 Changed 3 years ago by Antoine gmail

Debugging stuff on MS Windows with py2exe is hard, took all day (fix one thing - break another), mostly done as of r5367 + r5365 + r5370.
And lots more changes, like unbundling xpra - so still a lot more to do...

Last edited 3 years ago by Antoine gmail (previous) (diff)

comment:14 Changed 3 years ago by Antoine gmail

Owner: changed from Antoine gmail to dfeldstern
Status: acceptedassigned

As per http://lists.devloop.org.uk/pipermail/shifter-users/2016-April/001507.html, the latest RC builds should be good.

If this works for you, please close the ticket.

comment:15 Changed 3 years ago by Nathan Rennie-Waldock

Resolution: fixed
Status: assignedclosed

Latest build works for me, thanks.

Note: See TracTickets for help on using tickets.