Option to enable insecure SSH algos per-target

[greg1985]

Any clue what can should be changed in warpgate configuration/code to solve this?
It's not possible to change ssh configuration of the device device I want connect to (its an old network device), thus all changes needs to be done on the warpgate side.
Any help will be higly appreciated.

5.03.2024, 12:35:02	Closed connection
5.03.2024, 12:35:02	Client session closed
5.03.2024, 12:35:02	Connection errorerror:Ssh(NoCommonKexAlgo)
5.03.2024, 12:35:02	Opening shellchannel_id:d619a0a1-0d08-4efc-bcd8-d0be26afb27eclient_ip:172.17.60.100
5.03.2024, 12:35:02	Recording session f018f560-fef1-4d3d-bd10-046438c7d707client_ip:172.17.60.100name:shell-channel-2path:"/data/recordings/f018f560-fef1-4d3d-bd10-046438c7d707/shell-channel-2"
5.03.2024, 12:35:02	Connectingaddress:172.17.61.232:22username:admin
5.03.2024, 12:35:02	Opening session channelchannel:d619a0a1-0d08-4efc-bcd8-d0be26afb27eclient_ip:172.17.60.100
5.03.2024, 12:35:02	Authenticatedclient_ip:172.17.60.100credentials:passwordusername:aktywa
5.03.2024, 12:35:02	Password auth as <aktywa for V5824G_L>client_ip:172.17.60.100
5.03.2024, 12:34:53	Keyboard-interactive auth as <aktywa for V5824G_L>client_ip:172.17.60.100
End of the log

[Eugeny]

Looks like it couldn't find any common kex algorithm with the device. If you can access it with OpenSSH, run it with -v to see which kex was negotiated.

[greg1985]

OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/maciek/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to 172.17.61.232 [172.17.61.232] port 22. debug1: Connection established. debug1: identity file /home/maciek/.ssh/id_rsa type 0 debug1: identity file /home/maciek/.ssh/id_rsa-cert type -1 debug1: identity file /home/maciek/.ssh/id_dsa type -1 debug1: identity file /home/maciek/.ssh/id_dsa-cert type -1 debug1: identity file /home/maciek/.ssh/id_ecdsa type -1 debug1: identity file /home/maciek/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/maciek/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/maciek/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/maciek/.ssh/id_ed25519 type -1 debug1: identity file /home/maciek/.ssh/id_ed25519-cert type -1 debug1: identity file /home/maciek/.ssh/id_ed25519_sk type -1 debug1: identity file /home/maciek/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/maciek/.ssh/id_xmss type -1 debug1: identity file /home/maciek/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8p1 debug1: match: OpenSSH_3.8p1 pat OpenSSH_3.* compat 0x01000002 debug1: Authenticating to 172.17.61.232:22 as 'admin' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: (no match) Unable to negotiate with 172.17.61.232 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

[greg1985]

Could you please let me know where's the sshd config on the warpgate docker container? Then I can add that algo to the list easily.
Thanks in advance!

[Eugeny]

diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Yeah those are the only two kex algorithms it supports and they're insecure and disabled in Warpgate.

I'll update this ticket to instead be a feature request to add an option to enable these per-target

Could you please let me know where's the sshd config on the warpgate container? Then I can add that algo to the list easily.

Warpgate doesn't use OpenSSH.

[greg1985]

Hope this option will be added in not-so-distant future :)
Thank for your prompt responses.

[greg1985]

Hello Eugeny,
thanks for an update. I've just tested the nightly build. Unfortunately, this setting is not saved. Each time I click "Update configuration" button, it goes to to off state. Any clue why?
Below you can check connection logs from before and after I've tried to enable this new option

11:25:15 ERROR SSH: Connection error error=Ssh(NoCommonKexAlgo) session=8b0559d6-4433-4627-9b53-195aac9a7040
11:25:15  INFO SSH: Client session closed session=8b0559d6-4433-4627-9b53-195aac9a7040
11:25:15  INFO SSH: Closed connection session=8b0559d6-4433-4627-9b53-195aac9a7040
11:25:15  INFO Closed session
11:25:15  INFO Closed session
11:25:15  INFO SSH: Client session closed session=70e73e76-9514-4bae-b2f1-6e3f66e04c50
11:25:15  INFO SSH: Closed connection session=70e73e76-9514-4bae-b2f1-6e3f66e04c50
11:25:28  INFO HTTP: Request method=PUT url=https://172.17.61.233:8888/@warpgate/admin/api/targets/4ed0f9f0-f83a-47ab-958b-6acf785a7b2b status=200 OK client_ip=172.17.60.123 session=a03329e9-c04b-46a1-9738-391d12c3e6d4 session_username=admin client_ip=172.17.60.123
11:25:32  INFO SSH: Password auth as <admin for V5824G_L> session=230c931b-c883-42d8-b268-8abb4fc023b0 client_ip=172.17.60.123
11:25:32  INFO SSH: Authenticated username=admin credentials=password session=230c931b-c883-42d8-b268-8abb4fc023b0 client_ip=172.17.60.123
11:25:32  INFO SSH: Opening session channel channel=926a8754-6ddc-4f72-956a-ea51c2df0163 session=230c931b-c883-42d8-b268-8abb4fc023b0 session_username=admin client_ip=172.17.60.123
11:25:32  INFO SSH: Connecting address=172.17.61.232:22 username="admin" session=230c931b-c883-42d8-b268-8abb4fc023b0
11:25:32  INFO SSH: Recording session 230c931b-c883-42d8-b268-8abb4fc023b0 name=shell-channel-2 path="/data/recordings/230c931b-c883-42d8-b268-8abb4fc023b0/shell-channel-2" session=230c931b-c883-42d8-b268-8abb4fc023b0 session_username=admin client_ip=172.17.60.123
11:25:32  INFO SSH: Opening shell channel_id=926a8754-6ddc-4f72-956a-ea51c2df0163 session=230c931b-c883-42d8-b268-8abb4fc023b0 session_username=admin client_ip=172.17.60.123
11:25:32 ERROR SSH: Connection error error=Ssh(NoCommonKexAlgo) session=230c931b-c883-42d8-b268-8abb4fc023b0
11:25:32  INFO SSH: Client session closed session=230c931b-c883-42d8-b268-8abb4fc023b0
11:25:32  INFO SSH: Closed connection session=230c931b-c883-42d8-b268-8abb4fc023b0
11:25:32  INFO Closed session
11:25:32  INFO Closed session
11:25:32  INFO SSH: Client session closed session=0574c7a2-90c9-4b3d-81e5-e74f19b4c51a
11:25:32  INFO SSH: Closed connection session=0574c7a2-90c9-4b3d-81e5-e74f19b4c51a