• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
38 Posts 14 Posters 115.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    RabidWolf9
    last edited by Aug 17, 2016, 11:15 PM

    Putty 0.67 compiled on Debian Jessie 8.4 x64, will work on all Debian based variants, ie: Ubuntu, etc.
    For Windows just download from Putty's website.

    Will solve the issue "SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)"

    http://www.legionit.net/downloads/putty_0.67-1_amd64.deb.tar.gz

    Will compile FileZilla if any one needs it?

    ![Putty to pFsense - Couldnt agree on Key Exchange Algorith.png](/public/imported_attachments/1/Putty to pFsense - Couldnt agree on Key Exchange Algorith.png)
    ![Putty to pFsense - Couldnt agree on Key Exchange Algorith.png_thumb](/public/imported_attachments/1/Putty to pFsense - Couldnt agree on Key Exchange Algorith.png_thumb)

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Aug 17, 2016, 11:20 PM

      When it comes to security packages such as ssh clients, please only download them from official sources, check the hashes and signatures if possible. Don't download builds from random sources.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • R
        RabidWolf9
        last edited by Aug 17, 2016, 11:30 PM

        Not having to compile in the first place would have been nice, however not offered on Putty's site and Git Hub is 0.63

        However the Admin: jimp is right

        MD5:  be9fabbd1fd58e2b5dc4ff022400eadf

        SHA1: b8e4b18743ed294d08220bbbb0b48105f0734850

        SHA256: ec4092dc30c86679013e9e86ce949653a283e1000ab488bb40523b968970a850

        1 Reply Last reply Reply Quote 0
        • N
          nambi
          last edited by Jan 6, 2017, 3:26 PM

          No matter which version of putty I used it didn't work for my, strangely the same versions of putty work on my other pfsense box.  I don't understand why? I tired clearing out he reg files but still no go, what DID work for me was using BITVISE ssh client. this worked without issues.

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Jan 6, 2017, 3:35 PM

            I have yet to see a case where updating PuTTY didn't work. Perhaps you are still running an old putty somehow (wrong shortcut/link, for example).

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              chrcoluk
              last edited by Jan 6, 2017, 3:52 PM Jan 6, 2017, 3:47 PM

              @johnpoz:

              yeah the issue I am having is with securecrt, you would think they would enabled chacha20 but not yet.. they just recently added ed25519..

              But the dev version of putty has had both for quite some time.

              That product director has driven me up the wall, her name maureen I think.

              About a year or so ago I requested what I consider easy to adopt changes.

              Support for chacha20
              Support for gcm ciphers

              To this day still no support.

              Yet they have managed to do updates that affect the GUI design and some other stuff.

              Seems their priority is making the program look pretty but not security enhancements.

              https://forums.vandyke.com/showthread.php?t=12209
              https://www.vandyke.com/products/securecrt/history.txt
              https://s2-forums.vandyke.com/showthread.php?p=46666

              very frustrating.

              pfSense CE 2.7.2

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Jan 6, 2017, 5:28 PM

                Yeah your right her name is Maureen from the thread.. Her last excuse

                We have a fairly small develpment team and it can be a challenge to balance implementing new features, fixing bugs, and making sure our applications run on the latest version of the supported platforms.

                My answer to that was putty has 1 guy coding ;)  And it has had support pretty much since its been available ;)

                I told her their product is dead to me.. Its completely useless if its not going to support modern ciphers and algo's.. The closest they have come is back in Jan of 2016 they added ECDSA and Ed25519 keys

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by Jan 7, 2017, 12:10 PM

                  For putty, really use the daily builds ONLY. ECDSA and Ed25519 is there as well. The stable release is not usable.

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Jan 7, 2017, 3:16 PM

                    Yeah I use the dev bulds.. But as of late I just use kitty which is a fork of putty that supports everything as of a few updates back.  Or I just use the windows build of openssh.. This is really the easiest way to know for sure your going to have full support of all the ciphers and algo's that openssh is using.

                    https://www.mls-software.com/opensshd.html

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Jan 17, 2017, 11:13 PM

                      Good news, ChaCha20 is coming to SecureCRT

                      You previously requested support for the ChaCha20-Poly1305 cipher for SSH2
                      sessions.  This has been implemented in a pre-beta version of SecureCRT and SecureFX.

                      If you would be interested in trying it, please let me know which product(s) and
                      platform(s) you need.

                      Products:

                      SecureCRT
                      SecureCRT and SecureFX

                      Platforms:

                      Windows (64-bit)
                      Windows (32-bit)
                      Mac OS X (10.11 and later)
                      Linux (Ubuntu 16.x, 64-bit)
                      Linux (Ubuntu 16.x, 32-bit)
                      Linux (Ubuntu 14.x and 15.x, 64-bit)
                      Linux (Ubuntu 14.x and 15.x, 32-bit)
                      Linux (RHEL 7.0)

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Jan 19, 2017, 1:25 PM

                        Yeah I just emailed her, says on my thread to contact her for access to the prebeta ;)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • C
                          chrcoluk
                          last edited by Jan 20, 2017, 12:48 AM

                          yeah she emailed me about it some days back, no GCM still but at least CHACHA is something.

                          pfSense CE 2.7.2

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Jan 20, 2017, 11:32 AM

                            So got the new secure beta.. And finally

                            [LOCAL] : Available Remote Send Ciphers = chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                            [LOCAL] : Selected Send Cipher = chacha20-poly1305@openssh.com
                            [LOCAL] : Available Remote Recv Ciphers = chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                            [LOCAL] : Selected Recv Cipher = chacha20-poly1305@openssh.com

                            Now they just need to add GCM ;)

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • R
                              riahc3 Banned
                              last edited by Apr 20, 2017, 9:03 AM

                              @jimp:

                              FYI- We disabled some older, weaker, ssh key exchange algorithms. It won't be uncommon to find some older programs that use ssh directly or via things like libssh, that will need to be updated.

                              How do you reenable them?

                              1 Reply Last reply Reply Quote 0
                              • J
                                johnpoz LAYER 8 Global Moderator
                                last edited by Apr 20, 2017, 9:34 AM

                                Why would you need to re-enable them.. They have been disabled for a reason, ie not secure.. Update your client is the correct fix here..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • R
                                  riahc3 Banned
                                  last edited by Apr 20, 2017, 9:51 AM Apr 20, 2017, 9:47 AM

                                  @johnpoz:

                                  Why would you need to re-enable them.. They have been disabled for a reason, ie not secure.. Update your client is the correct fix here..

                                  Thats awesome.

                                  How do you reenable them?

                                  (For the record, yes, I am fully aware that many companies in 2016-2017, made SHA1 deprecated)

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kpa
                                    last edited by Apr 20, 2017, 9:53 AM

                                    You re-enable them by rolling your own custom version of pfSense where you enable them in the openssh configuration. Oh and forget any official support if you follow that route.

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      riahc3 Banned
                                      last edited by Apr 20, 2017, 9:58 AM

                                      @kpa:

                                      You re-enable them by rolling your own custom version of pfSense where you enable them in the openssh configuration. Oh and forget any official support if you follow that route.

                                      No.

                                      From the posts in this thread, they were disabled not removed (ala PPTP). They should be able to be enabled (under your own responsability)

                                      The issue for example is that PPTP was warned several months in advance that it was going to get removed. Maybe I missed it for SHA1 but…

                                      The point is that this thread only talks about it is disabled, not removed so...

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by Apr 20, 2017, 10:39 AM Apr 20, 2017, 10:32 AM

                                        "How do you reenable them?"

                                        You edit your sshd_conf to use the what you want.. But again I am going to stress they were disabled for a REASON!!!

                                        
                                        [2.4.0-BETA][root@pfsense.local.lan]/etc/ssh: cat sshd_config 
                                        # This file is automatically generated at startup
                                        KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
                                        Port 22
                                        Protocol 2
                                        HostKey /etc/ssh/ssh_host_rsa_key
                                        HostKey /etc/ssh/ssh_host_ed25519_key
                                        Compression yes
                                        ClientAliveInterval 30
                                        PermitRootLogin yes
                                        # Login via Key only
                                        ChallengeResponseAuthentication no
                                        PasswordAuthentication no
                                        PubkeyAuthentication yes
                                        UsePAM no
                                        UseDNS no
                                        LoginGraceTime 30s
                                        VersionAddendum none
                                        X11Forwarding no
                                        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                                        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
                                        # override default of no subsystems
                                        Subsystem       sftp    /usr/libexec/sftp-server
                                        
                                        

                                        Notice the part that says this file created at startup.. So you would have to edit sshd script that does the creation.  Or you could use the sshd_extra file pretty sure..

                                        I can not stress this enough - do not lower the security of your sshd, up the security of the client your using to access it.  Putty is FREE it works just fine, they have a securecrt client closed beta you can get that supports the chacha stuff.  You can use just the mls windows version of openssh, which is what I use all the time.. also FREE

                                        You should never lower your security to "make something work"…  This is just bad security 101..

                                        What I did notice from this thread since I connected in with ssh -v into pfsense is they are behind on their ssh.. they are running 7.2 while 7.5 is current.

                                        debug1: Local version string SSH-2.0-OpenSSH_7.5
                                        debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
                                        debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          riahc3 Banned
                                          last edited by Apr 20, 2017, 11:18 AM

                                          @johnpoz:

                                          "How do you reenable them?"

                                          You edit your sshd_conf to use the what you want.. But again I am going to stress they were disabled for a REASON!!!

                                          
                                          [2.4.0-BETA][root@pfsense.local.lan]/etc/ssh: cat sshd_config 
                                          # This file is automatically generated at startup
                                          KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
                                          Port 22
                                          Protocol 2
                                          HostKey /etc/ssh/ssh_host_rsa_key
                                          HostKey /etc/ssh/ssh_host_ed25519_key
                                          Compression yes
                                          ClientAliveInterval 30
                                          PermitRootLogin yes
                                          # Login via Key only
                                          ChallengeResponseAuthentication no
                                          PasswordAuthentication no
                                          PubkeyAuthentication yes
                                          UsePAM no
                                          UseDNS no
                                          LoginGraceTime 30s
                                          VersionAddendum none
                                          X11Forwarding no
                                          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                                          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
                                          # override default of no subsystems
                                          Subsystem       sftp    /usr/libexec/sftp-server
                                          
                                          

                                          Notice the part that says this file created at startup.. So you would have to edit sshd script that does the creation.  Or you could use the sshd_extra file pretty sure..

                                          I can not stress this enough - do not lower the security of your sshd, up the security of the client your using to access it.  Putty is FREE it works just fine, they have a securecrt client closed beta you can get that supports the chacha stuff.  You can use just the mls windows version of openssh, which is what I use all the time.. also FREE

                                          You should never lower your security to "make something work"…  This is just bad security 101..

                                          What I did notice from this thread since I connected in with ssh -v into pfsense is they are behind on their ssh.. they are running 7.2 while 7.5 is current.

                                          debug1: Local version string SSH-2.0-OpenSSH_7.5
                                          debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
                                          debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

                                          Quoted in case of removal.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received