SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)

jimp

I hope so. I nudged Vandyke about getting the stronger kex/mac/ciphers we have in their list. It connects fine if you have a current version of SecureCRT but there is room for improvement. It is still missing chacha20-poly1305, AES256-GCM, and curve25519-sha256

johnpoz

Yeah I did the same thing with vandyke, they added ed25519 I believe in 8.01 or 02 but yeah still missing for sure chacha20

Maybe .03 is out??  Off to check..  You would think such a company who's bread and butter is ssh client and server even would be up to speed..

jimp

I need to test it some more but I also had an issue with keyboard-interactive on the latest SecureCRT against pfSense 2.3.2 that I need to e-mail them about. Key auth works, and plain password (ew), but not keyboard-interactive.

Harvy66

FYI

https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001737.html

FreeBSD 11 is dropping support for OpenSSH DSA keys.

johnpoz

^ nice info Harvy66, I would of prob not have noticed that info I don't subscribe to that list - prob should ;)  Nice to hear though.. I would assume pfsense will follow suite, maybe beat them to the punch ;)

jimp

We stopped generating them some time ago, and on 2.3.2 they are not used even if present.

RabidWolf9

Putty 0.67 compiled on Debian Jessie 8.4 x64, will work on all Debian based variants, ie: Ubuntu, etc.
For Windows just download from Putty's website.

Will solve the issue "SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)"

http://www.legionit.net/downloads/putty_0.67-1_amd64.deb.tar.gz

Will compile FileZilla if any one needs it?


jimp

When it comes to security packages such as ssh clients, please only download them from official sources, check the hashes and signatures if possible. Don't download builds from random sources.

RabidWolf9

Not having to compile in the first place would have been nice, however not offered on Putty's site and Git Hub is 0.63

However the Admin: jimp is right

MD5:  be9fabbd1fd58e2b5dc4ff022400eadf

SHA1: b8e4b18743ed294d08220bbbb0b48105f0734850

SHA256: ec4092dc30c86679013e9e86ce949653a283e1000ab488bb40523b968970a850

nambi

No matter which version of putty I used it didn't work for my, strangely the same versions of putty work on my other pfsense box.  I don't understand why? I tired clearing out he reg files but still no go, what DID work for me was using BITVISE ssh client. this worked without issues.

jimp

I have yet to see a case where updating PuTTY didn't work. Perhaps you are still running an old putty somehow (wrong shortcut/link, for example).

chrcoluk

@johnpoz:

yeah the issue I am having is with securecrt, you would think they would enabled chacha20 but not yet.. they just recently added ed25519..

But the dev version of putty has had both for quite some time.

That product director has driven me up the wall, her name maureen I think.

About a year or so ago I requested what I consider easy to adopt changes.

Support for chacha20
Support for gcm ciphers

To this day still no support.

Yet they have managed to do updates that affect the GUI design and some other stuff.

Seems their priority is making the program look pretty but not security enhancements.

https://forums.vandyke.com/showthread.php?t=12209
https://www.vandyke.com/products/securecrt/history.txt
https://s2-forums.vandyke.com/showthread.php?p=46666

very frustrating.

johnpoz

Yeah your right her name is Maureen from the thread.. Her last excuse

We have a fairly small develpment team and it can be a challenge to balance implementing new features, fixing bugs, and making sure our applications run on the latest version of the supported platforms.

My answer to that was putty has 1 guy coding ;)  And it has had support pretty much since its been available ;)

I told her their product is dead to me.. Its completely useless if its not going to support modern ciphers and algo's.. The closest they have come is back in Jan of 2016 they added ECDSA and Ed25519 keys

doktornotor

For putty, really use the daily builds ONLY. ECDSA and Ed25519 is there as well. The stable release is not usable.

johnpoz

Yeah I use the dev bulds.. But as of late I just use kitty which is a fork of putty that supports everything as of a few updates back.  Or I just use the windows build of openssh.. This is really the easiest way to know for sure your going to have full support of all the ciphers and algo's that openssh is using.

https://www.mls-software.com/opensshd.html

jimp

Good news, ChaCha20 is coming to SecureCRT

You previously requested support for the ChaCha20-Poly1305 cipher for SSH2
sessions.  This has been implemented in a pre-beta version of SecureCRT and SecureFX.

If you would be interested in trying it, please let me know which product(s) and
platform(s) you need.

Products:

SecureCRT
SecureCRT and SecureFX

Platforms:

Windows (64-bit)
Windows (32-bit)
Mac OS X (10.11 and later)
Linux (Ubuntu 16.x, 64-bit)
Linux (Ubuntu 16.x, 32-bit)
Linux (Ubuntu 14.x and 15.x, 64-bit)
Linux (Ubuntu 14.x and 15.x, 32-bit)
Linux (RHEL 7.0)

johnpoz

Yeah I just emailed her, says on my thread to contact her for access to the prebeta ;)

chrcoluk

yeah she emailed me about it some days back, no GCM still but at least CHACHA is something.

johnpoz

So got the new secure beta.. And finally

[LOCAL] : Available Remote Send Ciphers = chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
[LOCAL] : Selected Send Cipher = chacha20-poly1305@openssh.com
[LOCAL] : Available Remote Recv Ciphers = chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
[LOCAL] : Selected Recv Cipher = chacha20-poly1305@openssh.com

Now they just need to add GCM ;)

riahc3

@jimp:

FYI- We disabled some older, weaker, ssh key exchange algorithms. It won't be uncommon to find some older programs that use ssh directly or via things like libssh, that will need to be updated.

How do you reenable them?