[ZBX-17417] ssh.run with Server/Proxy linked to libssh2 cannot use new key exchange algorithms Created: 2020 Mar 05  Updated: 2024 Apr 10  Resolved: 2020 Nov 01

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Packages (C)
Affects Version/s: 3.0.30, 4.0.18, 4.4.6
Fix Version/s: 4.0.27rc1, 5.0.6rc1, 5.2.1rc1, 5.4.0alpha1, 5.4 (plan)

Type: Problem report Priority: Critical
Reporter: Edgar Akhmetshin Assignee: Jurijs Klopovskis
Resolution: Fixed Votes: 1
Labels: packages
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

RHEL7-based/Debian-based distro's linked against libssh2.

Issue Links:
Causes
Duplicate
Sub-task
depends on ZBX-17301 Zabbix ssh.run authentication method ... Closed
Team: Team I
Sprint: Sprint 62 (Mar 2020), Sprint 63 (Apr 2020), Sprint 64 (May 2020), Sprint 65 (Jun 2020), Sprint 66 (Jul 2020), Sprint 67 (Aug 2020), Sprint 68 (Sep 2020), Sprint 69 (Oct 2020)
Story Points: 0.25

 Description   

Steps to reproduce:

  1. IBM sshd configuration file provided by vendor after an upgrade for a specific hardware: 
    ...skipped part...
UseDNS yes
KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

https://www.libssh2.org:

Key Exchange Methods: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256

Result:

error: Cannot establish SSH session: Unable to exchange encryption keys

Expected:
Provide ability to use the following Kex Algorithms:

                   curve25519-sha256
                   [email protected]
                   diffie-hellman-group-exchange-sha256
                   ecdh-sha2-nistp256
                   ecdh-sha2-nistp384
                   ecdh-sha2-nistp521


 Comments   
Comment by Alexander Vladishev [ 2020 Mar 12 ]

I think, this problem can be solved by replacing libssh2 by libssh library. Zabbix support this library from versions 4.0.18 and 4.4.6.

https://www.libssh.org/features/

Comment by Edgar Akhmetshin [ 2020 Mar 12 ]

Hello,

As stated in the ENV description, RHEL7 still uses libssh2:

yum deplist zabbix-server-pgsql-4.0.18-1.el7.x86_64.rpm  |grep -i ssh
  dependency: libssh2.so.1()(64bit)
  provider: libssh2.x86_64 1.8.0-3.el7

Please provide packages with libssh support.

Regards,
Edgar

Comment by Jurijs Klopovskis [ 2020 Oct 05 ]

Fixed in pre 5.0.5 & 5.2.0beta2.
Building against libssh on bionic, focal & buster as well as on sles15.
RHEL/CentOS 8 packages are already built with libssh.
On other distros and zabbix versions libssh2 is used or no server/proxy packages are built.

Comment by Oleksii Zagorskyi [ 2020 Dec 24 ]

To understand what Server suggests run ssh client with -vv options and see for lines:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25 ....

if in the list one of these (used by libssh2) is missing, that's the case when libssh must be used:

kex_algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

I hope I'm correct here.

Generated at Fri May 02 06:54:14 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.