Subject: RE: Unable to exchange encryption keys

RE: Unable to exchange encryption keys

From: Oliver Nelson <oliver_at_ootbc.com>
Date: Tue, 29 Dec 2009 22:40:43 -0800

I've done some more work on this problem. Using the released version of 1.2.2 now. I haven't been able to get libssh2 debug mode to work for some odd reason (my fault no doubt), but I did get some debug output from my openssh server which all looked fine. Upon further investigation, I can see that in the session object, the SHA1 and MD5 hash of the encryption key is shown correctly (based on looking at the fingerprint from another client connecting to the same host). This seems to indicate that the key exchange is working, but libssh2_session_hostkey returns an empty string. I get this behaviour on any host I connect to. My test code looks like this:

        int iretval;
        unsigned long mode = 1;
        int last_socket_err = 0;
        int other_port = 0;
        fd_set read_set, write_set;
        char *ssh_addr;
        size_t len;
        int type;
        addrinfo * result = NULL;
        addrinfo hints;
        DWORD retval;

        ZeroMemory(&hints, sizeof(hints));
        hints.ai_family = AF_INET;
        hints.ai_socktype = SOCK_STREAM;
        hints.ai_protocol = IPPROTO_TCP;

        retval = getaddrinfo("173.12.216.189", "222",&hints,&result);

        SOCKET sshsock = socket(AF_INET, SOCK_STREAM, 0);
        iretval = connect(sshsock, result->ai_addr, result->ai_addrlen);

        LIBSSH2_SESSION * session = NULL;
        session = libssh2_session_init();
        
        iretval = libssh2_session_startup(session, sshsock);
        if (iretval)
                ::PostQuitMessage(0);
        
        LIBSSH2_KNOWNHOSTS * hosts;
        hosts = libssh2_knownhost_init(session);

        const char* fingerprint = libssh2_session_hostkey(session,&len,&type);

Now, I could use libssh2_hostkey_hash (which returns a correct fingerprint) and do the check myself, but I think I'm supposed to call libssh2_knownhost_check which seems to want the whole key, not just the fingerprint of the key. Is there something wrong with my code here?

NOTE: You can test against this host if you like (no need to authenticate as the problem is pre-authentication), it has ssh running on port 222 rather than 22.

OLIVER

-----

I'm connecting to an OpenSSH server (banner is SSH-2.0-OpenSSH_5.1p1
Debian-5ubuntu1). I get this error after calling
libssh2_session_startup. I can skip the host key verification and just
go ahead with the session just fine. Everything works just fine from
then on. Any clues what might be causing this? I'm using ver
1.2.2-20091022 of the libssh2 package. Anyone have any ideas what could
be wrong?

OLIVER

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2009-12-30