SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)

ddpfsense

Hi Guys,

I've had a quick search on the forums but can't find anyone else having this issue and thought making a post would help other users if they are searching here/google etc.

Basically I installed a fresh version of 2.3.1, checked for updates and updated the system. Now for some reason I am getting the following error when trying to connect via putty:

Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)

I don't even get to the username/password prompt. Not sure if this is an issue my side but SSH worked fine before. Does anyone know how to fix it?

pfsense_putty_error.png_thumb

AndrewZ

update putty

ddpfsense

@AndrewZ:

update putty

Thank you that worked!

jimp

FYI- We disabled some older, weaker, ssh key exchange algorithms. It won't be uncommon to find some older programs that use ssh directly or via things like libssh, that will need to be updated.

johnpoz

yeah the issue I am having is with securecrt, you would think they would enabled chacha20 but not yet.. they just recently added ed25519..

But the dev version of putty has had both for quite some time.

silenceti

Works for me 2!

Thanks…

jimp

FYI- I added details about the SSH daemon changes here: https://doc.pfsense.org/index.php/2.3.2_New_Features_and_Changes#SSH_Daemon

mdima

Same problem here, the latest version of WS_FTP doesn't supports pfSense SSH anymore. I asked support to IPSwitch (the makers of WS_FTP).

KOM

I just bumped into this earlier today too. My putty was from 2013 and an update fixed it no problem. Then I come here and someone else has the same issue.

johnpoz

It really is sad the old stuff some of these major applications are using. The one that really ticks me off is freaking cisco!! Even to their security devices they do not support the current best practice for kex and ciphers..

I think players like pfsense and even stuff like filezilla not connecting to antiquated stuff will hope to push the major players to get with the times.

jimp

I hope so. I nudged Vandyke about getting the stronger kex/mac/ciphers we have in their list. It connects fine if you have a current version of SecureCRT but there is room for improvement. It is still missing chacha20-poly1305, AES256-GCM, and curve25519-sha256

johnpoz

Yeah I did the same thing with vandyke, they added ed25519 I believe in 8.01 or 02 but yeah still missing for sure chacha20

Maybe .03 is out?? Off to check.. You would think such a company who's bread and butter is ssh client and server even would be up to speed..

jimp

I need to test it some more but I also had an issue with keyboard-interactive on the latest SecureCRT against pfSense 2.3.2 that I need to e-mail them about. Key auth works, and plain password (ew), but not keyboard-interactive.

Harvy66

FYI

https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001737.html

FreeBSD 11 is dropping support for OpenSSH DSA keys.

johnpoz

^ nice info Harvy66, I would of prob not have noticed that info I don't subscribe to that list - prob should ;) Nice to hear though.. I would assume pfsense will follow suite, maybe beat them to the punch ;)

jimp

We stopped generating them some time ago, and on 2.3.2 they are not used even if present.

RabidWolf9

Putty 0.67 compiled on Debian Jessie 8.4 x64, will work on all Debian based variants, ie: Ubuntu, etc.
For Windows just download from Putty's website.

Will solve the issue "SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)"

http://www.legionit.net/downloads/putty_0.67-1_amd64.deb.tar.gz

Will compile FileZilla if any one needs it?

![Putty to pFsense - Couldnt agree on Key Exchange Algorith.png](/public/imported_attachments/1/Putty to pFsense - Couldnt agree on Key Exchange Algorith.png)
![Putty to pFsense - Couldnt agree on Key Exchange Algorith.png_thumb](/public/imported_attachments/1/Putty to pFsense - Couldnt agree on Key Exchange Algorith.png_thumb)

jimp

When it comes to security packages such as ssh clients, please only download them from official sources, check the hashes and signatures if possible. Don't download builds from random sources.

RabidWolf9

Not having to compile in the first place would have been nice, however not offered on Putty's site and Git Hub is 0.63

However the Admin: jimp is right

MD5: be9fabbd1fd58e2b5dc4ff022400eadf

SHA1: b8e4b18743ed294d08220bbbb0b48105f0734850

SHA256: ec4092dc30c86679013e9e86ce949653a283e1000ab488bb40523b968970a850

nambi

No matter which version of putty I used it didn't work for my, strangely the same versions of putty work on my other pfsense box. I don't understand why? I tired clearing out he reg files but still no go, what DID work for me was using BITVISE ssh client. this worked without issues.