netopeer2 icon indicating copy to clipboard operation
netopeer2 copied to clipboard
verified publisher icon CESNET

SSH key exchange error when using netconf-console2 (py tool) login

Open guangjung opened this issue 10 months ago • 8 comments

Server Env: netopeer2 (v2.2.8) + libyang (v3.1.0) + libnetconf2 (v3.3.3) + sysrepo (v2.10.1) + libssh (0.10.6)

Client Env: netconf-console2 (v3.0.0) + ncclient (v0.6.7) + paramiko (v2.6.0)

By the /usr/local/bin/netopeer2-cli, account (admin/welcome) login ok. But use netconf-console2 login failed, netopeer2-server log has the following error info , and the same netconf-console2 is working on old netopeer2 (v2.1.36) + libnetconf2 (v2.1.18) . Why and How to modify code to make netconf-console2 working. Looking forward to your reply, thanks.

Error log of netconf-console2: $ netconf-console2 --host=172.16.166.228 --user=admin --password=welcome --port=830 get-oc-platform-all.xml Exception: Incompatible ssh peer (no acceptable host key) Traceback (most recent call last): File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2127, in run self._handler_tableptype File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2242, in _negotiate_keys self._parse_kex_init(m) File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2482, in _parse_kex_init raise SSHException( paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable host key)

Error log of netopeer2-server ( using -d -v 2) [INF]: LN: Accepted a connection on 0.0.0.0:830 from 172.16.161.114:36360. [2021/01/06 02:19:09.253695, 1] ssh_kex_select_methods: kex error : no match for method server host key algo: server [rsa-sha2-512,rsa-sha2-256], client [ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss] [ERR]: LN: SSH key exchange error (kex error : no match for method server host key algo: server [rsa-sha2-512,rsa-sha2-256], client [ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss]).

Some other info: //login ok sh-5.2# /usr/local/bin/netopeer2-cli load_config: No saved configuration.

connect --ssh --host localhost --port 830 --login admin admin@localhost password:

// Netconf key configuration: ietf-keystore-startup.xml is generated from merge_hostkey.sh script ietf-netconf-server-startup.xml refer to ietf-netconf-server-startup.xml.txt

guangjung avatar Feb 16 '25 09:02 guangjung

By default, the server uses an RSA host key, which the client does not support (only the most basic non-secure RSA version). Either change netopeer2 configuration to use an ECDSA host key or change your client configuration to accept the serevr host key algorithm, there is no other solution.

michalvasko avatar Feb 17 '25 09:02 michalvasko

By default, the server uses an RSA host key, which the client does not support (only the most basic non-secure RSA version). Either change netopeer2 configuration to use an ECDSA host key or change your client configuration to accept the serevr host key algorithm, there is no other solution.

Thank you for your repIy.

  1. I upgraded client (netconf-console2(v3.0.1) + paramiko(v3.5.1)), netconf-console2 may work.

  2. If I use RSA host key, how to modify netopeer2 code or configuration ( ex. libssh or /etc/ssh/libssh_server_config) to make old netconf-console2 working.

guangjung avatar Feb 19 '25 00:02 guangjung

You can explicitly set supported host key algorithms in the YANG configuration, the nodes (printed by yanglint tree printer):

module: ietf-netconf-server
  +--rw netconf-server {central-netconf-server-supported}?
     +--rw listen! {ssh-listen or tls-listen}?
        +--rw endpoints
           +--rw endpoint* [name]
              +--rw (transport)
                 +--:(ssh) {ssh-listen}?
                    +--rw ssh
                       +--rw ssh-server-parameters
                          +--rw transport-params {sshcmn:transport-params}?
                             +--rw host-key
                                +--rw host-key-alg*   identityref

The algorithms are defined in iana-ssh-public-key-algs.

But it is strange that you have only 2 algorithms enabled, which is definitely not the default configuration, so probably the sshd config file is used (by libssh), which you can also modify. It should be /etc/ssh/sshd_config.

michalvasko avatar Feb 19 '25 07:02 michalvasko

You can explicitly set supported host key algorithms in the YANG configuration, the nodes (printed by yanglint tree printer):

module: ietf-netconf-server
  +--rw netconf-server {central-netconf-server-supported}?
     +--rw listen! {ssh-listen or tls-listen}?
        +--rw endpoints
           +--rw endpoint* [name]
              +--rw (transport)
                 +--:(ssh) {ssh-listen}?
                    +--rw ssh
                       +--rw ssh-server-parameters
                          +--rw transport-params {sshcmn:transport-params}?
                             +--rw host-key
                                +--rw host-key-alg*   identityref

The algorithms are defined in iana-ssh-public-key-algs.

But it is strange that you have only 2 algorithms enabled, which is definitely not the default configuration, so probably the sshd config file is used (by libssh), which you can also modify. It should be /etc/ssh/sshd_config.

Thank you for your reply. Following your suggestion, I modified ietf-netconf-server-startup.xml to explicitly set supported host key algorithms (ssh-rsa, rsa-sha2-256, rsa-sha2-512). Now old netconf-console2 or netconf-console may work.

But I still have two questions:

  1. why only 2 algorithms enabled in new netopeer2 (v2.2.8), when "host-key-alg" was NOT set in ietf-netconf-server-startup.xml;
  2. which option in /etc/ssh/sshd_config (OpenSSL v3.1.5) of netopeer2-server OS would affect the algorithms.
    I used Netconf over SSH (libssh) , this should be NOT relation with /etc/ssh/sshd_config.

guangjung avatar Feb 21 '25 11:02 guangjung

Hi, I believe that if you do not set host-key-alg, then libssh reads the default configuration from your sshd_config, so that's why this might be. Try man sshd_config, the option you're looking for is HostKeyAlgorithms. You may find the system-wide configuration possibly in /etc/ssh/sshd_config or /usr/etc/ssh/sshd_config, depends on your system. Also do not edit this config file directly, read the comments in the file.

Roytak avatar Feb 21 '25 11:02 Roytak

Hi, the following file is my used sshd_config file . HostKeyAlgorithms is NOT existed in the file. I guess that libssh used default host key algorithms (only [rsa-sha2-512,rsa-sha2-256] ) when libssh did NOT find HostKeyAlgorithms .

which function in libssh does parse it from sshd_config?

sshd_config.txt

guangjung avatar Feb 25 '25 01:02 guangjung

which function in libssh does parse it from sshd_config?

We have already given you advice not directly connected to netopeer2. You must ask the maintainers of libssh for help with their library.

michalvasko avatar Feb 25 '25 07:02 michalvasko

which function in libssh does parse it from sshd_config?

We have already given you advice not directly connected to netopeer2. You must ask the maintainers of libssh for help with their library.

OK, thanks. I will continue to conduct in-depth research in the future.

guangjung avatar Feb 27 '25 01:02 guangjung