Connection from libgit2 (libssh2) fails with "failed to start SSH session: Unable to exchange encryption keys"

[Qix-]

Hi there. I'm trying to get a libgit2 client (via the git2 crate) connecting to russh for integration testing purposes and I'm getting a rather unhelpful error from libgit2 - failed to start SSH session: Unable to exchange encryption keys.

I did a pcap of the negotiation and it looks like the client simply hangs up after russh tries to initiate a key exchange. I'm not well versed in the exchange details so this very well could be a problem with libgit2, but we don't have issues connecting to other servers - just russh.

Negotation packets (client hangs up directly after this):

SSH Protocol
    Protocol: SSH-2.0-libssh2_1.10.1_DEV
    [Direction: server-to-client]

SSH Protocol
    Protocol: SSH-2.0-russh_0.41.0-beta.4
    [Direction: client-to-server]

SSH Protocol
    SSH Version 2
        Packet Length: 1196
        Padding Length: 11
        Key Exchange (method:curve25519-sha256)
            Message Code: Key Exchange Init (20)
            Algorithms
                Cookie: 199acd9dc98b56be0d562512369ee374
                kex_algorithms length: 331
                kex_algorithms string [truncated]: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,dif
                server_host_key_algorithms length: 265
                server_host_key_algorithms string [truncated]: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],ssh-ed255
                encryption_algorithms_client_to_server length: 146
                encryption_algorithms_client_to_server string: aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,[email protected],aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc
                encryption_algorithms_server_to_client length: 146
                encryption_algorithms_server_to_client string: aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,[email protected],aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc
                mac_algorithms_client_to_server length: 113
                mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected]
                mac_algorithms_server_to_client length: 113
                mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected]
                compression_algorithms_client_to_server length: 4
                compression_algorithms_client_to_server string: none
                compression_algorithms_server_to_client length: 4
                compression_algorithms_server_to_client string: none
                languages_client_to_server length: 0
                languages_client_to_server string: 
                languages_server_to_client length: 0
                languages_server_to_client string: 
                First KEX Packet Follows: 0
                Reserved: 00000000
                [hasshServerAlgorithms [truncated]: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,dif]
                [hasshServer: 19a8bc97d71fe02f6899cd96937a5202]
        Padding String: 2ffd9404a0bee872b5bcc1
        Sequence number: 0
    [Direction: server-to-client]

SSH Protocol
    SSH Version 2
        Packet Length: 764
        Padding Length: 10
        Key Exchange (method:curve25519-sha256)
            Message Code: Key Exchange Init (20)
            Algorithms
                Cookie: fbb9d45baee0ef5ecc4ccc09a1567ab0
                kex_algorithms length: 146
                kex_algorithms string: curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,ext-info-s,[email protected]
                server_host_key_algorithms length: 77
                server_host_key_algorithms string: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
                encryption_algorithms_client_to_server length: 85
                encryption_algorithms_client_to_server string: [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
                encryption_algorithms_server_to_client length: 85
                encryption_algorithms_server_to_client string: [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
                mac_algorithms_client_to_server length: 123
                mac_algorithms_client_to_server string: [email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected],hmac-sha1
                mac_algorithms_server_to_client length: 123
                mac_algorithms_server_to_client string: [email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected],hmac-sha1
                compression_algorithms_client_to_server length: 26
                compression_algorithms_client_to_server string: none,zlib,[email protected]
                compression_algorithms_server_to_client length: 26
                compression_algorithms_server_to_client string: none,zlib,[email protected]
                languages_client_to_server length: 0
                languages_client_to_server string: 
                languages_server_to_client length: 0
                languages_server_to_client string: 
                First KEX Packet Follows: 0
                Reserved: 00000000
                [hasshAlgorithms [truncated]: curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,ext-info-s,[email protected];[email protected],[email protected],aes256-ctr]
                [hassh: 4b1a36b25874bf1affea42deb0f90ba0]
        Padding String: 00000000000000000000
        Sequence number: 0
    [Direction: client-to-server]

SSH Protocol
    SSH Version 2
        Packet Length: 44
        Padding Length: 6
        Key Exchange (method:curve25519-sha256)
            Message Code: Elliptic Curve Diffie-Hellman Key Exchange Init (30)
            ECDH client's ephemeral public key length: 32
            ECDH client's ephemeral public key (Q_C): 790edbec4a082f8295961b6990a1360093106f33276e32cc81fbef46d924a537
        Padding String: 57ac5d71360e
        Sequence number: 1
    [Direction: server-to-client]

I've attached the PCAPng file directly given that wireshark truncates column data for some reason:
key-exchange-libssh2-russh.pcapng.zip

The initialization code is just this:

        let listener = TcpListener::bind(("127.0.0.1", 0)).await.unwrap();
        let addr = listener.local_addr().unwrap();
        let port = addr.port();

        let config = Arc::new(russh::server::Config {
            inactivity_timeout: Some(std::time::Duration::from_secs(10)),
            auth_rejection_time: std::time::Duration::from_secs(3),
            auth_rejection_time_initial: Some(std::time::Duration::from_secs(3)),
            keys: vec![
                russh_keys::key::KeyPair::generate_ed25519().unwrap(),
            ],
            ..Default::default()
        });

        let socket_future = russh::server::run_on_socket(config, &listener, self);

Perhaps I'm missing something on the config side but I'm honestly not sure how to debug further given that neither side (libgit2 nor russh) have any additional callbacks I can specify to show more involved output. Is this an issue with unsupported key exchange algorithms?

For what it's worth, git (mainstream CLI) works fine.

[Eugeny]

Looks like the session ends up negotiating a missing ecdsa-sha2-nistp256 host key, which is then the same bug as #227 (just fixed) - please check

[Qix-]

Nope, unfortunately still the same issue. Should I do another PCAP dump?