Synapse SSH client key exchange init problem

[matjaz]

Hello,

I'm using SSH client based on Leonardo's blog http://leonardorame.blogspot.com/2010/01/synapse-based-ssh-client.html on Delphi 2005 using Cryptlib library.

The problem is that SSH sever does not accept key echnage init message from client and is responding with message
 Unsupported. Wireshark PCAP trace is attached.

How could I set correct parameters for SSH key exchange?
 

 

[rvk]

How could I set correct parameters for SSH key exchange?

It depends on how far you are willing to go and cripple the SSH server side with unsecure methods.

Your (old) cryptlib is using Key Exchange diffie-hellman-group-exchange-sha1.
The (new) OpenSSH 7.2 doesn't have that included anymore by default.

You could enable it in the server by adding diffie-hellman-group1-sha1.
See https://unix.stackexchange.com/a/370716/337973
But NOTE... that they are disabled by default for GOOD reasons !!

It's better to upgrade your client dll to a newer one.

[matjaz]

Thank you for your answer rvk. I have tried with newer versions of cryptlib (3.4.3) and dll, but with those I do not get key exchange init from client side. Could you suggest liks for newer version that I could use?

[rvk]

I have tried with newer versions of cryptlib (3.4.3) ...

Cryptlib 3.4.3 is still over 8 years old (or even older).

There are some versions floating around but I'm not sure where. You would always need to rely on others to compile one.
I thought cryptlib needed a license to distribute commercially. It's free for personal use so I've never touched it.

I've always used libssh2.dll (but the old version I have here gives the same error).

Edit: With the libssh2.dll 1.10.0 from PHP8 it works (although you need to use a private key file).

[matjaz]

libssh2.dll works also for me, but it has a problem listing long files. After 2000 lines or so it just stops.

[matjaz]

Attached Wireshark PCAP trace when I use cryptlib 3.4.3 (malformed packet, [Invalid key length: 1536])

[Thaddy]

The problem is -sha1 and that has been removed from all crypto libs in the wild (or should be).
12 year old blogs refererring to crypto should be removed, as is the case here.
See https://en.wikipedia.org/wiki/SHA-1
It is old code with a big security issue. Do Not Use.

[matjaz]

I agree with you Thaddy, but with the newer cryptilb 3.4.3 the probelm moves to another error, seams it's related to key length as I described in my previous post and new PCAP trace in attachment.

[Thaddy]

Nope. The error response is correct. It should never be 1536

[matjaz]

Hmm, where comes key length 1536 from and how to correct this?

[rvk]

libssh2.dll works also for me, but it has a problem listing long files. After 2000 lines or so it just stops.

Otherwise you might want to try to find out why it is crapping out at 2000 lines.
It might not even have something to do with libssh2.dll, but with your own communication handling.