SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)

jimp

FYI- We disabled some older, weaker, ssh key exchange algorithms. It won't be uncommon to find some older programs that use ssh directly or via things like libssh, that will need to be updated.

johnpoz

yeah the issue I am having is with securecrt, you would think they would enabled chacha20 but not yet.. they just recently added ed25519..

But the dev version of putty has had both for quite some time.

silenceti

Works for me 2!

Thanks…

jimp

FYI- I added details about the SSH daemon changes here: https://doc.pfsense.org/index.php/2.3.2_New_Features_and_Changes#SSH_Daemon

mdima

Same problem here, the latest version of WS_FTP doesn't supports pfSense SSH anymore. I asked support to IPSwitch (the makers of WS_FTP).

KOM

I just bumped into this earlier today too. My putty was from 2013 and an update fixed it no problem. Then I come here and someone else has the same issue.

johnpoz

It really is sad the old stuff some of these major applications are using. The one that really ticks me off is freaking cisco!! Even to their security devices they do not support the current best practice for kex and ciphers..

I think players like pfsense and even stuff like filezilla not connecting to antiquated stuff will hope to push the major players to get with the times.

jimp

I hope so. I nudged Vandyke about getting the stronger kex/mac/ciphers we have in their list. It connects fine if you have a current version of SecureCRT but there is room for improvement. It is still missing chacha20-poly1305, AES256-GCM, and curve25519-sha256

johnpoz

Yeah I did the same thing with vandyke, they added ed25519 I believe in 8.01 or 02 but yeah still missing for sure chacha20

Maybe .03 is out?? Off to check.. You would think such a company who's bread and butter is ssh client and server even would be up to speed..

jimp

I need to test it some more but I also had an issue with keyboard-interactive on the latest SecureCRT against pfSense 2.3.2 that I need to e-mail them about. Key auth works, and plain password (ew), but not keyboard-interactive.

Harvy66

FYI

https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001737.html

FreeBSD 11 is dropping support for OpenSSH DSA keys.

johnpoz

^ nice info Harvy66, I would of prob not have noticed that info I don't subscribe to that list - prob should ;) Nice to hear though.. I would assume pfsense will follow suite, maybe beat them to the punch ;)

jimp

We stopped generating them some time ago, and on 2.3.2 they are not used even if present.

RabidWolf9

Putty 0.67 compiled on Debian Jessie 8.4 x64, will work on all Debian based variants, ie: Ubuntu, etc.
For Windows just download from Putty's website.

Will solve the issue "SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)"

http://www.legionit.net/downloads/putty_0.67-1_amd64.deb.tar.gz

Will compile FileZilla if any one needs it?

![Putty to pFsense - Couldnt agree on Key Exchange Algorith.png](/public/imported_attachments/1/Putty to pFsense - Couldnt agree on Key Exchange Algorith.png)
![Putty to pFsense - Couldnt agree on Key Exchange Algorith.png_thumb](/public/imported_attachments/1/Putty to pFsense - Couldnt agree on Key Exchange Algorith.png_thumb)

jimp

When it comes to security packages such as ssh clients, please only download them from official sources, check the hashes and signatures if possible. Don't download builds from random sources.

RabidWolf9

Not having to compile in the first place would have been nice, however not offered on Putty's site and Git Hub is 0.63

However the Admin: jimp is right

MD5: be9fabbd1fd58e2b5dc4ff022400eadf

SHA1: b8e4b18743ed294d08220bbbb0b48105f0734850

SHA256: ec4092dc30c86679013e9e86ce949653a283e1000ab488bb40523b968970a850

nambi

No matter which version of putty I used it didn't work for my, strangely the same versions of putty work on my other pfsense box. I don't understand why? I tired clearing out he reg files but still no go, what DID work for me was using BITVISE ssh client. this worked without issues.

jimp

I have yet to see a case where updating PuTTY didn't work. Perhaps you are still running an old putty somehow (wrong shortcut/link, for example).

chrcoluk

@johnpoz:

yeah the issue I am having is with securecrt, you would think they would enabled chacha20 but not yet.. they just recently added ed25519..

But the dev version of putty has had both for quite some time.

That product director has driven me up the wall, her name maureen I think.

About a year or so ago I requested what I consider easy to adopt changes.

Support for chacha20
Support for gcm ciphers

To this day still no support.

Yet they have managed to do updates that affect the GUI design and some other stuff.

Seems their priority is making the program look pretty but not security enhancements.

https://forums.vandyke.com/showthread.php?t=12209
https://www.vandyke.com/products/securecrt/history.txt
https://s2-forums.vandyke.com/showthread.php?p=46666

very frustrating.

johnpoz

Yeah your right her name is Maureen from the thread.. Her last excuse

We have a fairly small develpment team and it can be a challenge to balance implementing new features, fixing bugs, and making sure our applications run on the latest version of the supported platforms.

My answer to that was putty has 1 guy coding ;) And it has had support pretty much since its been available ;)

I told her their product is dead to me.. Its completely useless if its not going to support modern ciphers and algo's.. The closest they have come is back in Jan of 2016 they added ECDSA and Ed25519 keys