无法交换加密密钥

Question

I'm facing a hard problem at the moment and I didn't find anything online that can help me.

function executeCommand($command) {
    $infoConnection = getInfoConnection();

    $out = '';
    //The Warning occurs here, impossible to go further
    $connection = ssh2_connect($infoConnection["hostname"], 22);

    if ($connection === false) {
        $error = error_get_last();
        throw new Exception("
        Error Type : ".$error["type"]."<br/>
        Message : ".$error["message"]."<br/>
        File : ".$error["file"]."<br/>
        Line : ".$error["line"]."<br/>");
    }

    ssh2_auth_password($connection, $infoConnection["username"], $infoConnection["password"]);

    $stdio_stream = ssh2_shell($connection);
    sleep(2);
    fwrite($stdio_stream,$infoConnection["username"]."\n");
    sleep(1);
    fwrite($stdio_stream,$infoConnection["password"]."\n");
    sleep(1);

    fwrite($stdio_stream, $command."\n");
    sleep(1);
    while($buffer = fgets($stdio_stream)) {

        $out .= $buffer;
    }
    fwrite($stdio_stream, 'exit');
    unset($connection);

    return $out;
}

Answer 1

I had this problem when trying to access a focal ubuntu server from a little old xenial through ssh2_connect. The solution was to update libssh2-1. Even with php showing the old version, it worked normally.

In the xenial, I added the focal repository, then installed the latest version of libssh2-1, restarted PHP to apply and removed focal repository.

sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse"
sudo apt-get update
sudo apt -y install libssh2-1
sudo add-apt-repository -r "deb http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse"
sudo apt-get update

Answer 2

Warning: ssh2_connect() [function.ssh2-connect]: Error starting up SSH connection(-5): Unable to exchange encryption keys in ../aff_wifi.php on line 203

libssh2 0.x only supports Diffie-Hellman SHA1 based key exchange. OpenSSH has disabled DH SHA1 by default. That leaves libssh2 0.x high and dry.

Option 1: Update libssh2

libssh2 1.7 and up supports DH SHA256 and ECDH key exchange. These will work with the latest OpenSSH. 1.x releases require PHP 7.

Option 2: use phpseclib

If you're stuck on PHP 5 then libssh2 isn't usable. The highest version available for PHP5 is libssh2 0.13 which still only supports the SHA1 key exchanges. An alternate library that worked for me was phpseclib . That supports diffie-hellman-group-exchange-sha256 and I was able to connect to updated OpenSSH servers.

Answer 3

If you have access to the SSH server, and the SSH server is running on a Linux system, the /var/log/messages and /var/log/secure logs on the Linux system might contain events that could be helpful in identifying why "Unable to exchange encryption keys" is being returned. For example, the /var/log/secure log could have something like this.

Jan 29 07:02:46 docker1 sshd[3245780]: Unable to negotiate with 192.168.0.15 port 55736: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

Notice in this example that the /var/log/secure log captures "no matching host key type found" as the underlying issue. By default, the PHP ssh2_connection functions offers the following host key types.

• ssh-rsa
• ssh-dss

If the SSH server does not accept ssh-rsa or ssh-dss as host key types, then the /var/log/secure log will capture something like "no matching host key type found" and PHP should log "Unable to exchange encryption keys". In this scenario, the SSH server would need to be updated to accept the ssh-rsa or ssh-dss host key types.

For example, if the SSH server is OpenSSH, this could mean appending ssh-rsa and ssh-dss to the HostKeyAlgorithms line in the /etc/crypto-policies/back-ends/opensshserver.config on the OpenSSH Linux System.