On Tue, Jul 14, 2020 at 6:43 AM Abhijeet Jha <[email protected]> wrote:
> Hi Nick, > > Sorry for providing incorrect information, the customer device is > configured to use the following Kex algorithm and not "KexAlgorithms > diffie-hellman-group16-sha512". > > - diffie-hellman-group-exchange-sha1 > - diffie-hellman-group14-sha1 > - diffie-hellman-group1-sha1 > > Ciphers*: *aes256-cbc > MAC: hmac-sha1 > > I have sorted out attached debug logs from the production server and > will be easy for you to look at. > > We performed some testing with a customer device by using ssh client > JSCH.4.0.0 which worked fine but the ssh connection did not work with > guacamole 1.0.0. > > The support for SSH and algorithms has nothing to do with Java or any ability for a Java-based SSH client to connect. The functionality is provided by guacd, which leverages the libssh2 library for SSH support. Thus, the key algorithms must be supported by libssh2. If you look at their web page (libssh2.org), you'll see the list of key exchange algorithms supported by the current version of the library: * Key Exchange Methods: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256 Please note that this is what is supported in the *current* version - if you're having trouble connecting with one of the above algorithms, then you should upgrade libssh2 to the latest release and try, again. Note that this may well be the case for the Ciphers and MAC, as well - it's possible that one or more of those has been added in a recent version of libssh2, and if you're using something older you may not have that support. If you're having trouble connecting to any SSH connection, you need to make sure that guacd was built with SSH support. > > - > We upgraded guacamole from 0.9.3 to 1.0.0 in May 2019 and customer > reported that ssh to their Cisco devices stopped working which was > working till the time they reported the problem to us. > > > I'm not familiar with version history going back that far, but it's quite possible that 0.9.3 was prior to the move from libssh to libssh2, and that libssh had supported those algorithms and libssh2 did not. It's also possible that the build does not include SSH support because one or more of the dependencies is missing when guacd was built. So, start by verifying that guacd does include SSH support (you can connect to at least one SSH server successfully), then move on to attempting to upgrade libssh2 to the latest, and rebuild guacd against that. -Nick
