ssh-keyscan can choose unsupported KEX algorithm

[heidelman]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

The ssh-keyscan.exe client application can propose unsupported KEX algorithms, notably sntrup761x25519-sha512@openssh.com. The server (if it also supports sntrup) will also propose sntrup. However, ssh-keyscan.exe will then fail in choose_kex with the error:
choose_kex: unsupported KEX method sntrup761x25519-sha512@openssh.com
That KEX algorithm requires a C99 compiler and is hidden behind a #if in defines.h.

ssh.exe and sshd.exe do not have this issue, because only supported KEX algorithms are proposed using the function match_filter_allowlist.

Client requirement: Win32-OpenSSH version 9.2 (a merge in 9.1 moved sntrup to the top of the preferred KEX list)
Server requirement: Linux (for enabled sntrup761x25519-sha512@openssh.com support) OpenSSH version >=8.9 (where sntrup support was added)

ssh.exe -V
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2

ssh-keyscan.exe -vvv ip

Expected behavior

ssh-keyscan.exe should not claim to support sntrup761x25519-sha512@openssh.com.

Actual behavior

debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
choose_kex: unsupported KEX method sntrup761x25519-sha512@openssh.com
debug2: local client KEXINIT proposal
debug2: KEX algorithms: __sntrup761x25519-sha512@openssh.com__,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Error details

full output:

debug1: CIDR range 192.168.1.181
debug1: CIDR expand: address 192.168.1.181
debug2: fd 3 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 2
debug2: fd 4 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 4
debug2: fd 5 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 8
debug2: fd 6 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 32
debug2: fd 7 setting O_NONBLOCK
debug3: conalloc: oname 192.168.1.181 kt 64
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000
# 192.168.1.181:22 SSH-2.0-OpenSSH_8.9
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
choose_kex: unsupported KEX method sntrup761x25519-sha512@openssh.com
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000

Environment data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

9.2p1

Visuals

No response

[AndrewSav]

Having the same issue with v9.4.0.0p1-Beta

[brainos233]

sntrup761x25519 needs variable length arrays, see https://github.com/PowerShell/openssh-portable/blob/59aba65cf2e2f423c09d12ad825c3b32a11f408f/defines.h#L942

#if defined(VARIABLE_LENGTH_ARRAYS) && defined(VARIABLE_DECLARATION_AFTER_CODE)
# define USE_SNTRUP761X25519 1
#endif

But msvc does not support variable length arrays 😕

[AndrewSav]

If it's not supported it should not be proposed?

[triatic]

I came across this issue when testing 9.5p1. I suppose I'll just go back to using 8.1p1 which is bundled with Windows 10.

[triatic]

4 months later... 9.5p1 has been bundled into the latest update for Windows 10. I think a lot more people will be seeing this bug now.

[Peter-76]

Same here, have 9.5p1 now and my script that worked 2 days ago stopped working.

[Brink2Three]

Same here, anything newer than 9.5p1 appears to break. Had to manually rollback to 8.9p1 on multiple machines as newer versions are also broken :(

$ ssh-keyscan -t rsa 10.xx.xx.xxx
# 10.xx.xx.xxx:22 SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
choose_kex: unsupported KEX method sntrup761x25519-sha512@openssh.com

[kthy]

Also just bitten by this. Is there a way to restrict the KEX list at runtime using flags, or does this essentially break ssh-keyscan until the PR is merged and released?

[tgauth]

Also just bitten by this. Is there a way to restrict the KEX list at runtime using flags, or does this essentially break ssh-keyscan until the PR is merged and released?

Yes, but the restriction has to be done via sshd, rather than ssh-keyscan as sshd_config has a KexAlgorithms directive

[kthy]

Yeah, I figured out I could do that, but if I didn't control the sshd setup on the target server I would've been SOL.

Thanks @tgauth for doing the patch on this 👏 - hoping we'll see a patch release asap.