Comments (21)
Be aware that by disabling this check you are making yourself vulnerable to MITM attacks.
from ssh2-streams.
I am aware of this. Unfortunately, it seems my options are disable the check or it doesn't work at all.
Maybe it would be helpful to have an option to disable this and include a warning in the logs?
from ssh2-streams.
I'd much rather try to solve the problem if possible rather than encourage bypassing a security check.
from ssh2-streams.
Sure. That's the best solution.
I can send you testing credentials for the server I'm having issues with if you like.
from ssh2-streams.
Can you test with the master branch of ssh2
to see if the issue is still present there?
from ssh2-streams.
I tested with the master branch of ssh2
and I have the same problem. I did notice some errors when running npm install
but I figured I would test anyways since it said it was an optional dependency.
C:\Users\John\Desktop\ssh2-test\ssh2>npm install
> [email protected] install C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features
> node-gyp rebuild
C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" rebuild ) else (node "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" rebuild )
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
Configuring dependencies
-- Building for: Visual Studio 14 2015
-- Selecting Windows SDK version to target Windows 10.0.18363.
-- The C compiler identification is MSVC 19.0.24210.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/x86_amd64/cl.exe - skippe
d
-- Detecting C compile features
-- Detecting C compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features
/build
Building dependencies
Microsoft (R) Build Engine version 14.0.25420.1
Copyright (C) Microsoft Corporation. All rights reserved.
Checking Build System
Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
t
filesystem.c
stack_line_reader.c
string_view.c
Generating Code...
utils.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build\utils.dir\R
elease\utils.lib
Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
t
cpuinfo_x86.c
cpu_features.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build\Rele
ase\cpu_features.lib
Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
t
list_cpu_features.c
c:\users\john\desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\src\utils\list_cpu_features.c(343): wa
rning C4715: 'GetCacheTypeString': not all control paths return a value [C:\Users\John\Desktop\ssh2-test\ssh2\node_modu
les\cpu-features\deps\cpu_features\build\list_cpu_features.vcxproj] [C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\
cpu-features\build\build_deps.vcxproj]
list_cpu_features.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build
\Release\list_cpu_features.exe
Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
t
binding.cc
win_delay_load_hook.cc
Creating library C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.lib and
object C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.exp
LINK : warning LNK4098: defaultlib 'MSVCRT' conflicts with use of other libs; use /NODEFAULTLIB:library [C:\Users\John\
Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\cpufeatures.vcxproj]
cpufeatures.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\\cpufeatures.node
cpufeatures.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.pdb (
Full PDB)
> [email protected] install C:\Users\John\Desktop\ssh2-test\ssh2
> node install.js
C:\Users\John\Desktop\ssh2-test\ssh2\lib\protocol\crypto>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" --target=v14.15.4 rebuild ) else (node "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" --target=v14.15.4 rebuild )
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
binding.cc
win_delay_load_hook.cc
..\src\binding.cc(1718): error C2131: expression did not evaluate to a constant [C:\Users\John\Desktop\ssh2-test\ssh2\l
ib\protocol\crypto\build\sshcrypto.vcxproj]
..\src\binding.cc(1718): note: failure was caused by non-constant arguments or reference to a non-constant symbol
..\src\binding.cc(1718): note: see usage of 'this'
gyp ERR! build error
gyp ERR! stack Error: `C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe` failed with exit code: 1
gyp ERR! stack at ChildProcess.onExit (C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\build.js:194:23)
gyp ERR! stack at ChildProcess.emit (events.js:315:20)
gyp ERR! stack at Process.ChildProcess._handle.onexit (internal/child_process.js:277:12)
gyp ERR! System Windows_NT 10.0.18363
gyp ERR! command "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "--target=v14.15.4" "rebuild"
gyp ERR! cwd C:\Users\John\Desktop\ssh2-test\ssh2\lib\protocol\crypto
gyp ERR! node -v v14.15.4
gyp ERR! node-gyp -v v5.1.0
gyp ERR! not ok
Failed to build optional crypto binding
npm WARN [email protected] No license field.
added 1 package from 1 contributor and audited 7 packages in 22.723s
found 0 vulnerabilities
from ssh2-streams.
Can you set debug: console.log
in the connection config object with the master branch of ssh2
and post the resulting output?
from ssh2-streams.
Sure.
09:32:53.345 > Custom crypto binding not available
09:32:53.576 > Client: Trying ecportal.dhl-usa.com on port 22 ...
09:32:55.133 > Local ident: 'SSH-2.0-ssh2js1.0.0-beta.0'
09:32:55.832 > Socket connected
09:32:56.063 > Remote ident: 'SSH-2.0-IBM Sterling Connect:Enterprise for UNIX2.5.0'
09:32:56.219 > Outbound: Sending KEXINIT
09:32:56.332 > Inbound: Handshake in progress
09:32:56.439 > Handshake: (local) KEX method: diffie-hellman-group1-sha1
09:32:56.538 > Handshake: (remote) KEX method: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
09:32:56.652 > Handshake: KEX algorithm: diffie-hellman-group1-sha1
09:32:56.753 > Handshake: (local) Host key format: ssh-dss
09:32:56.855 > Handshake: (remote) Host key format: ssh-dss
09:32:56.958 > Handshake: Host key format: ssh-dss
09:32:57.042 > Handshake: (local) C->S cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
09:32:57.136 > Handshake: (remote) C->S cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
09:32:57.248 > Handshake: C->S Cipher: 3des-cbc
09:32:57.455 > Handshake: (local) S->C cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
09:32:57.659 > Handshake: (remote) S->C cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
09:32:57.835 > Handshake: S->C cipher: 3des-cbc
09:32:58.037 > Handshake: (local) C->S MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.216 > Handshake: (remote) C->S MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.418 > Handshake: C->S MAC: hmac-sha1
09:32:58.590 > Handshake: (local) S->C MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.824 > Handshake: (remote) S->C MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:59.031 > Handshake: S->C MAC: hmac-sha1
09:32:59.213 > Handshake: (local) C->S compression: none,[email protected],zlib
09:32:59.424 > Handshake: (remote) C->S compression: none,zlib
09:32:59.624 > Handshake: C->S compression: none
09:32:59.774 > Handshake: (local) S->C compression: none,[email protected],zlib
09:32:59.991 > Handshake: (remote) S->C compression: none,zlib
09:33:00.204 > Handshake: S->C compression: none
09:33:00.407 > Outbound: Sending KEXDH_INIT
09:33:01.267 > Host accepted by default (no verification)
09:33:01.406 > Host accepted (verified)
09:33:01.552 > Inbound: NEWKEYS
09:33:01.753 > Verifying signature ...
09:33:01.965 > Signature verification failed: Error: error:06000080:public key routines:OPENSSL_internal:UNSUPPORTED_ALGORITHM
at verifyOneShot (internal/crypto/sig.js:219:10)
at OpenSSH_Public.verify (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\keyParser.js:405:18)
at DHExchange.finish (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:669:40)
at DHExchange.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1220:25)
at Protocol.onKEXPayload (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1764:20)
at NullDecipher.decrypt (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\crypto.js:617:26)
at Protocol.parsePacket [as _parse] (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:1938:25)
at Protocol.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:287:16)
at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:645:15)
at Socket.emit (events.js:315:20)
09:33:02.145 > Outbound: Sending DISCONNECT (3)
09:33:04.825 > Socket ended
09:33:05.059 > Socket closed
from ssh2-streams.
What does console.log(process.versions)
show?
from ssh2-streams.
{
node: '12.18.3',
v8: '8.7.220.31-electron.0',
uv: '1.38.0',
zlib: '1.2.11',
brotli: '1.0.7',
ares: '1.16.0',
modules: '85',
nghttp2: '1.41.0',
napi: '6',
llhttp: '2.0.4',
http_parser: '2.9.3',
openssl: '1.1.1',
icu: '67.1',
unicode: '13.0',
electron: '11.2.3',
chrome: '87.0.4280.141'
}
from ssh2-streams.
Can you try with plain node v12.18.3? I believe Electron uses their own SSL library (BoringSSL I believe) which causes issues sometimes. It could be that host's public key size is too small and is thus not supported by the SSL library for security reasons.
from ssh2-streams.
Additionally, it could be that BoringSSL flat out doesn't support DSA host keys any longer.
from ssh2-streams.
It interesting that using electron changes the node version. I knew I was using something newer than v12.18.3...
{
node: '14.15.4',
v8: '8.4.371.19-node.17',
uv: '1.40.0',
zlib: '1.2.11',
brotli: '1.0.9',
ares: '1.16.1',
modules: '83',
nghttp2: '1.41.0',
napi: '7',
llhttp: '2.1.3',
openssl: '1.1.1i',
cldr: '37.0',
icu: '67.1',
tz: '2020a',
unicode: '13.0'
}
Here are the logs:
Custom crypto binding not available
Client: Trying ecportal.dhl-usa.com on port 22 ...
Local ident: 'SSH-2.0-ssh2js1.0.0-beta.0'
Socket connected
Remote ident: 'SSH-2.0-IBM Sterling Connect:Enterprise for UNIX2.5.0'
Outbound: Sending KEXINIT
Inbound: Handshake in progress
Handshake: (local) KEX method: diffie-hellman-group1-sha1
Handshake: (remote) KEX method: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Handshake: KEX algorithm: diffie-hellman-group1-sha1
Handshake: (local) Host key format: ssh-dss
Handshake: (remote) Host key format: ssh-dss
Handshake: Host key format: ssh-dss
Handshake: (local) C->S cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
Handshake: (remote) C->S cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Handshake: C->S Cipher: 3des-cbc
Handshake: (local) S->C cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
Handshake: (remote) S->C cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Handshake: S->C cipher: 3des-cbc
Handshake: (local) C->S MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: (remote) C->S MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: C->S MAC: hmac-sha1
Handshake: (local) S->C MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: (remote) S->C MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: S->C MAC: hmac-sha1
Handshake: (local) C->S compression: none,[email protected],zlib
Handshake: (remote) C->S compression: none,zlib
Handshake: C->S compression: none
Handshake: (local) S->C compression: none,[email protected],zlib
Handshake: (remote) S->C compression: none,zlib
Handshake: S->C compression: none
Outbound: Sending KEXDH_INIT
Host accepted by default (no verification)
Host accepted (verified)
Inbound: NEWKEYS
Verifying signature ...
Signature verification failed
Outbound: Sending DISCONNECT (3)
events.js:292
throw er; // Unhandled 'error' event
^
Error: Handshake failed: signature verification failed
at makeError (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\utils.js:142:15)
at doFatalError (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\utils.js:184:13)
at DHExchange.finish (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:680:18)
at DHExchange.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1220:25)
at Protocol.onKEXPayload (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1764:20)
at NullDecipher.decrypt (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\crypto.js:617:26)
at Protocol.parsePacket [as _parse] (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:1938:25)
at Protocol.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:287:16)
at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:645:15)
at Socket.emit (events.js:315:20)
Emitted 'error' event on Client instance at:
at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:647:14)
at Socket.emit (events.js:315:20)
at addChunk (internal/streams/readable.js:309:12)
at readableAddChunk (internal/streams/readable.js:284:9)
at Socket.Readable.push (internal/streams/readable.js:223:10)
at TCP.onStreamRead (internal/stream_base_commons.js:188:23) {
level: 'handshake',
fatal: true
}
from ssh2-streams.
Any thoughts on this?
from ssh2-streams.
I haven't found the cause yet. The signature seems to be valid and accepted by OpenSSL, it's just that the signature fails to be verified for some reason.
from ssh2-streams.
Can you verify that everything works with ssh2
v0.8.x instead of the master branch? I suspect there is some regression after the rewrite.
from ssh2-streams.
I've found the bug in ssh2
master, working on a fix....
from ssh2-streams.
Ok, the fix should be in ssh2
's master branch now. Let me know if it works for you.
from ssh2-streams.
It seems like it works now. Thanks for your help.
from ssh2-streams.
I might have spoke too soon. It doesn't work in electron but I don't think this is an ssh2
problem. As you said:
Additionally, it could be that BoringSSL flat out doesn't support DSA host keys any longer.
This is the error I get:
Signature verification failed: Error: error:06000080:public key routines:OPENSSL_internal:UNSUPPORTED_ALGORITHM
Any ideas?
from ssh2-streams.
I can't really help there, as it's beyond the scope of this project. Curiously though, as far as I can tell BoringSSL does still contain support for both DSA and SHA1, so I'm not quite sure why Electron doesn't support it unless they are explicitly disabling specific legacy algorithms in one way or another.
from ssh2-streams.
Related Issues (20)
- Bug in flagsToString()
- OpenSSH private keys not decoded correctly HOT 2
- realPath platform inconsistency HOT 2
- Packet transform errors kill the server HOT 1
- Add atomic transfer ability to fastPut? HOT 5
- 怎么使用这个连接ssh呢?
- Unnecessary components are included in final module bundle HOT 1
- "Missing file segements in upload" error when using Fast Put HOT 5
- Impact of Node V14 HOT 1
- Uploaded files are empty HOT 1
- SIGNREQUEST output in Jest HOT 5
- fastXfer: Transferring 0 byte file
- Is there a way to send a message to Client to stop sending data while uploading files?
- Max identification string size exceeded
- Unable to get file from sftp server
- Server welcome message breaks connection ("Error: Unexpected packet before version")
- the difference between ssh2 and ssh2-streams? HOT 1
- Update dependency on streamsearch
- support kex algo [email protected] HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssh2-streams.