Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 694984

Summary: net-misc/openssh-8.0_p1-r2 w/ dev-libs/openssl-1.1.1d breaks login for TermBot (Android)
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED WORKSFORME    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/cotechde/termbot/issues/17
Whiteboard:
Package list:
Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-19 20:49:54 UTC
After upgrading dev-libs/openssl to 1.1.1d, I can no longer connect to my systems from Android TermBot client.  It gives the following error:

===
Key exchange was not finished, connection is closed.
The server hostkey was not accepted by the verifier callback.
Unknown key type rsa-sha2-512
===

Downgrading openssl to 1.1.1c-r1 resolves the issue.  I'm not sure if it's bug or feature.  Reporting on both ends in case.  I suppose it's not nice when you're outta home and discover you can't connect to your computer.
Comment 1 kfm 2019-09-19 21:22:48 UTC
Firstly, take a look at the following.

  sshd -T | awk '$1 == "hostkeyalgorithms"'

Secondly, prevent sshd from advertising any algorithms that your client is complaining about. Below is an example of the syntax. Note that the algorithms are being negated here.

  HostKeyAlgorithms -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512

If this helps, then it falls upon the maintainer of your client to fix its behaviour because it should simply ignore any advertised algorithms that it does not support, provided that it has at least one in common with the server.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2020-02-17 08:24:53 UTC
Closing as I cannot reproduce the issue and termbot upstream said they need to fix it on their end.