Winswitch unable to connect over ssh from MS Windows to server running openssh 6.7

[dfeldstern]

After upgrading a linux server to openssh 6.7, I'm no longer able to connect to it from MS Windows (winswitch 0.12.20). In the server's log I see "fatal: Unable to negotiate a key exchange method [preauth]". I have no trouble connecting to the server via putty.

It seems that this is a twisted-conch issue: ​http://twistedmatrix.com/trac/ticket/7672

However, I assume that even once that's fixed, some work will be required on winswitch's part, too, even if only to create a new build; so opening a ticker here, too.

[Antoine gmail]

Thanks for the pointer, it does look like this will require a new build - which could be tricky because last time I looked at it, there were backwards incompatible changes in Twisted 10 or 11..

[dfeldstern]

Thanks for the quick response! Just to clarify -- AFAICT this hasn't been fixed yet in twisted itself...

I know that the following idea probably makes absolutely no sense, but just throwing it out there because of my interest in #190 (see comment 5 there) : given the backwards-incompatibilities in twisted, would it make any sense to switch to paramiko for ssh?

[Antoine gmail]

Another problem with moving to paramiko is that the current code uses the twisted deferred, and I'm not sure how to convert that to paramiko without using threads.. and threads are hard to get right.
Also, I don't have time. Patches are most welcome though!

[infernix]

This affects Debian Jessie because they carry OpenSSH 6.7 by default.

I have found no other way to fix this other than forward-porting OpenSSH 6.6 from Wheezy.

[Antoine Martin]

Still no resolution... twisted conch is not used much then.
(and I still don't have time to try to move back to paramiko or something else)
PITA.

[infernix]

Adding this to sshd_config worked for me on Debian 8:

KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

[Nathan Rennie-Waldock]

I got this on Ubuntu 15.04 (OpenSSH 6.7). I had to add diffie-hellman-group1-sha1 to KexAlgorithms? and hmac-sha1 to MACs.

However, we do need a new Windows build with the latest Twisted as OpenSSH 6.9 has dropped support for the old key exchange message so Windows clients can no longer connect.

Twisted finally supports the new message (RFC4419, March 2006) since v15.5.0 (November 2015): ​https://twistedmatrix.com/trac/ticket/8100

[Antoine gmail]

OK, I'll make a new build in the coming weeks.

Similar to #285: Ubuntu Trusty uses an old version of Twisted conch, which has the same issue. (nothing we can do to fix that one)

[Antoine gmail]

I've just done this for xpra: we overwrite the newer Plink.exe at install time if we detect Windows XP: ​http://xpra.org/trac/ticket/1095.
(the default is the new Plink, which is win7 onwards only)

[Nathan Rennie-Waldock]

Bump
I spent a few days trying to build it myself and failed. Issues with gstreamer not working with python 2.7 and left with a winswitch build that doesn't run (quits immediately).

[Antoine gmail]

ACK, sorry about the delay.

[Antoine gmail]

Debugging stuff on MS Windows with py2exe is hard, took all day (fix one thing - break another), mostly done as of r5367 + r5365 + r5370.
And lots more changes, like unbundling xpra - so still a lot more to do...

[Antoine gmail]

As per ​http://lists.devloop.org.uk/pipermail/shifter-users/2016-April/001507.html, the latest RC builds should be good.

If this works for you, please close the ticket.

[Nathan Rennie-Waldock]

Latest build works for me, thanks.