1

The server logs this

2021-12-07 21:57:29.889029102  Server listening on 0.0.0.0 port 2222.
2021-12-07 21:57:29.889033114  Server listening on :: port 2222.
2021-12-07 21:57:30.635958078  Connection from 172.17.0.1 port 56406 on 172.17.0.3 port 2222 rdomain ""
2021-12-07 21:57:30.636572922  kex_exchange_identification: Connection closed by remote host
2021-12-07 21:57:30.637124145  Connection closed by 172.17.0.1 port 56406
2021-12-07 21:57:30.653516584  Connection from 172.17.0.1 port 56408 on 172.17.0.3 port 2222 rdomain ""
2021-12-07 21:57:30.656432406  Unable to negotiate with 172.17.0.1 port 56408: no matching host key type found. Their offer: ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 [preauth]

This shows the client offers ecdsa-sha2-nistp384

The server configuration is as follows

> cat /etc/ssh/sshd_config | grep -v "#" | grep -v -e '^$'
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication yes
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
PidFile /config/sshd.pid
Subsystem   sftp    /usr/lib/ssh/sftp-server -u 022
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
HostKeyAlgorithms ecdsa-sha2-nistp384
KexAlgorithms diffie-hellman-group-exchange-sha1
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
LogLevel VERBOSE

This shows that HostKeyAlgorithms ecdsa-sha2-nistp384 is enabled on the server. Why can't they perform the handshake?

conorgriffin
  • 459
  • 1
  • 6
  • 25
  • 2
    On the server does `/etc/ssh/ssh_host_ecdsa_key` exist? Is it 384 bits (`ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key`)? Is it not group/world-accessible (`ls -l /etc/ssh/ssh_host_ecdsa_key`) – Mark Wagner Dec 08 '21 at 00:30
  • You might also want to try adding some verbosity on the client side to see the actual details of what's going on. For example: `sftp -vvv your-regular-options . . .`. The more 'v's you add the more detail you get - although in my experience more than 2 or 3 is overkill. – Brandon Xavier Dec 08 '21 at 07:51
  • @MarkWagner you're right, the keys is only 256 bits. So if I want this server to support 256/384/521 bit keys do I need three separate keys to exist in the `/etc/ssh` directory? Is there a naming convention I need to follow? – conorgriffin Dec 08 '21 at 09:00
  • 1
    `/etc/ssh/ssh_host_ecdsa_key` `/etc/ssh/ssh_host_ed25519_key` and `/etc/ssh/ssh_host_rsa_key` are the default names but you can call keys whatever you want and add them to the `sshd_config` file using `HostKey blah`. – Mark Wagner Dec 08 '21 at 19:13

0 Answers0