Ubuntu
openssh package

ssh connect to server stop on "SSH2_MSG_KEXINIT sent"

Bug #1971158 reported by aruslan
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

After upgrade on Ubuntu 22.04 i can't connect to several servers. Connecting stopped on SSH2_MSG_KEXINIT sent
```
 ssh -vvv -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -oHostKeyAlgorithms=+ssh-rsa -X vld@sansa
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/ruslan/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug3: kex names ok: [diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/ruslan/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/ruslan/.ssh/known_hosts2'
debug2: resolving "sansa" port 22
debug3: resolve_host: lookup sansa:22
debug3: ssh_connect_direct: entering
debug1: Connecting to sansa [172.16.xx.xx] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/ruslan/.ssh/id_rsa type -1
debug1: identity file /home/ruslan/.ssh/id_rsa-cert type -1
debug1: identity file /home/ruslan/.ssh/id_ecdsa type -1
debug1: identity file /home/ruslan/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ruslan/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ruslan/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ruslan/.ssh/id_ed25519 type -1
debug1: identity file /home/ruslan/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ruslan/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ruslan/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ruslan/.ssh/id_xmss type -1
debug1: identity file /home/ruslan/.ssh/id_xmss-cert type -1
debug1: identity file /home/ruslan/.ssh/id_dsa type -1
debug1: identity file /home/ruslan/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sansa:22 as 'vld'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent

```
I'm checking connection on old version Ubuntu 20.04, it's working. Remote server use
KexAlgorithms=diffie-hellman-group-exchange-sha256 and HostKeyAlgorithms=ssh-rsa

On Ubuntu 21.04 ssh was work.

Tags: ssh-client
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Revision history for this message
Brian Murray (brian-murray) wrote :

This is documented in the release note for Jammy Jellyfish (https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668):

ssh-rsa is now disabled by default in OpenSSH 237.

The release notes also contain a link to a way to continue connetcing to servers configured with ssh-rsa.

Changed in openssh (Ubuntu):
status: Confirmed → Won't Fix
Revision history for this message
aruslan (taomao) wrote :

Could the problem be something else? Adding the old algorithm to the configuration did not help me.

Example in config
Host old-host
    HostkeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa

And try with cli options
ssh -vvv -X -oPubkeyAcceptedAlgorithms=+ssh-rsa -oHostkeyAlgorithms=+ssh-rsa dual
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent

Revision history for this message
Gerald Skead (skeadster) wrote :

Confirmed adding entry to .ssh/config solved it for me.

My example for each old host:

Host x.x.x.x
        HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.