tux/shellstation
1
1
Fork 0
Code Issues Pull requests Projects Releases 12 Packages Wiki Activity Actions

Issues when connecting to very old device (3des?) #10

New issue
Closed
opened 2026-04-15 13:23:36 +02:00 by tux · 5 comments
tux commented 2026-04-15 13:23:36 +02:00
Owner
Copy link

Attempt to connect to a very old device with the option to use legacy algorithms enabled fails.
By connecting to it from a linux server with verbose output and comparing it to a working device seems to show, that it tries to use 3des but fails.

Connection to the problematic old device:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group14-sha1 need=24 dh_need=20
debug1: kex: diffie-hellman-group14-sha1 need=24 dh_need=20
debug2: bits set: 1053/2048

and in compare the connection an also old device, but not that old that it does not work:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group14-sha1 need=32 dh_need=32
debug1: kex: diffie-hellman-group14-sha1 need=32 dh_need=32
debug2: bits set: 1020/2048
Attempt to connect to a very old device with the option to use legacy algorithms enabled fails. By connecting to it from a linux server with verbose output and comparing it to a working device seems to show, that it tries to use 3des but fails. Connection to the problematic old device: ``` debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group14-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: diffie-hellman-group14-sha1 need=24 dh_need=20 debug1: kex: diffie-hellman-group14-sha1 need=24 dh_need=20 debug2: bits set: 1053/2048 ``` and in compare the connection an also old device, but not that old that it does not work: ``` debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group14-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none debug1: kex: diffie-hellman-group14-sha1 need=32 dh_need=32 debug1: kex: diffie-hellman-group14-sha1 need=32 dh_need=32 debug2: bits set: 1020/2048 ```
tux commented 2026-04-16 11:28:27 +02:00
Author
Owner
Copy link

Issue needs to be analyzed further with log level set to DEBUG, using a new release which includes #9eaeed9f4e

Issue needs to be analyzed further with log level set to DEBUG, using a new release which includes #9eaeed9f4e
tux commented 2026-04-20 23:55:26 +02:00
Author
Owner
Copy link

Please test with Version release 0.10.0

Please test with Version release [0.10.0](https://git.fiedler.live/tux/shellstation/releases/tag/v0.10.0)
tux commented 2026-04-21 09:53:31 +02:00
Author
Owner
Copy link

The connection still fails:

2026-04-21T07:44:27.115624Z DEBUG shellstation_lib::commands::session: Resolving credential profile for session session=12410fcd-5be2-47f2-84fd-75c9aaf15e85 profile_id=6ddb3722-59a7-41a5-bead-6118603277a2
2026-04-21T07:44:27.116134Z DEBUG shellstation_lib::commands::session: Credential profile resolved session=12410fcd-5be2-47f2-84fd-75c9aaf15e85 auth_type=password user=target-user
2026-04-21T07:44:27.116954Z DEBUG shellstation_lib::commands::session: Resolving jump hop hop=0 jump_id=a77665c5-7434-45b4-8079-895f6f7149ce host=xxx.xxx.xxx.xxx port=22
2026-04-21T07:44:27.117489Z DEBUG shellstation_lib::commands::session: Jump chain resolved total_hops=1
2026-04-21T07:44:27.133712Z  INFO shellstation_lib::session_logger: Session log prepared (file created on first write) connection_id=94d8f206-633a-4e65-a7e9-3095b9edd438 path=G:\ShellStation\logs\ALS-VT02CI29-1__DHCPd__44-09_210426.log
2026-04-21T07:44:27.133727Z  INFO shellstation_lib::ssh: Connecting via SSH session_id=94d8f206-633a-4e65-a7e9-3095b9edd438 host=yyy.yyy.yyy.yyy port=22 hops=1 legacy_algorithms=true
2026-04-21T07:44:27.133732Z DEBUG shellstation_lib::ssh: Starting jump host chain session_id="94d8f206-633a-4e65-a7e9-3095b9edd438" hops=1
2026-04-21T07:44:27.133747Z DEBUG shellstation_lib::ssh: SSH algorithm proposal legacy=true kex=mlkem768x25519-sha256, curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256, ext-info-c, ext-info-s, kex-strict-c-v00@openssh.com, kex-strict-s-v00@openssh.com, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 key=ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-rsa cipher=chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc mac=hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256, hmac-sha1-etm@openssh.com, hmac-sha1 compression=none, zlib, zlib@openssh.com
2026-04-21T07:44:27.156203Z DEBUG shellstation_lib::ssh: Server offered host key session_id=94d8f206-633a-4e65-a7e9-3095b9edd438-hop0 host=xxx.xxx.xxx.xxx port=22 key_type="ssh-ed25519" fingerprint=SHA256:Lar3VdceXLZu6SEt4k9H76c+OCYZXsqQwT4inxzd9ng
2026-04-21T07:44:27.157866Z DEBUG shellstation_lib::ssh: First hop connected session_id="94d8f206-633a-4e65-a7e9-3095b9edd438" hop=0 host=xxx.xxx.xxx.xxx
2026-04-21T07:44:27.157873Z DEBUG shellstation_lib::ssh: Authenticating SSH session session_id=94d8f206-633a-4e65-a7e9-3095b9edd438-hop0 auth_method=password
2026-04-21T07:44:27.157877Z DEBUG shellstation_lib::ssh: Attempting password authentication session_id=94d8f206-633a-4e65-a7e9-3095b9edd438-hop0 user=jump-user
2026-04-21T07:44:27.178504Z DEBUG shellstation_lib::ssh: Password auth result session_id=94d8f206-633a-4e65-a7e9-3095b9edd438-hop0 success=true
2026-04-21T07:44:27.178517Z  INFO shellstation_lib::ssh: Jump host authenticated hop=0 host=xxx.xxx.xxx.xxx
2026-04-21T07:44:27.178522Z DEBUG shellstation_lib::ssh: Opening tunnel to final target session_id="94d8f206-633a-4e65-a7e9-3095b9edd438" host="yyy.yyy.yyy.yyy" port=22
2026-04-21T07:44:27.253859Z DEBUG shellstation_lib::ssh: SSH algorithm proposal legacy=true kex=mlkem768x25519-sha256, curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256, ext-info-c, ext-info-s, kex-strict-c-v00@openssh.com, kex-strict-s-v00@openssh.com, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 key=ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-rsa cipher=chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc mac=hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256, hmac-sha1-etm@openssh.com, hmac-sha1 compression=none, zlib, zlib@openssh.com
2026-04-21T07:44:27.363114Z ERROR shellstation_lib::ssh: SSH target handshake through tunnel failed host=yyy.yyy.yyy.yyy port=22 error=early eof error_debug=IO(Custom { kind: UnexpectedEof, error: "early eof" })
2026-04-21T07:44:27.363125Z DEBUG shellstation_lib::ssh: Sanitizing SSH error for user display raw_error=early eof
2026-04-21T07:44:27.363139Z  INFO shellstation_lib::session_logger: Session log closed (no data written, no file created) connection_id=94d8f206-633a-4e65-a7e9-3095b9edd438

In compare the log of a successful connection from the jumphost directly:

$ ssh -vv target-user@xxx.xxx.xxx.xxx OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021 debug1: Reading configuration data /home/jump-user/.ssh/config debug1: /home/jump-user/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host xxx.xxx.xxx.xxx originally xxx.xxx.xxx.xxx debug2: match not found debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: configuration requests final Match pass debug2: resolve_canonicalize: hostname xxx.xxx.xxx.xxx is address debug1: re-parsing configuration debug1: Reading configuration data /home/jump-user/.ssh/config debug1: /home/jump-user/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host xxx.xxx.xxx.xxx originally xxx.xxx.xxx.xxx debug2: match found debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug2: ssh_connect_direct debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22. debug1: Connection established. debug1: identity file /home/jump-user/.ssh/id_rsa type 0 debug1: identity file /home/jump-user/.ssh/id_rsa-cert type -1 debug1: identity file /home/jump-user/.ssh/id_dsa type -1 debug1: identity file /home/jump-user/.ssh/id_dsa-cert type -1 debug1: identity file /home/jump-user/.ssh/id_ecdsa type -1 debug1: identity file /home/jump-user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/jump-user/.ssh/id_ed25519 type -1 debug1: identity file /home/jump-user/.ssh/id_ed25519-cert type -1 debug1: identity file /home/jump-user/.ssh/id_xmss type -1 debug1: identity file /home/jump-user/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.0 debug1: Remote protocol version 1.99, remote software version Cisco-1.25 debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to xxx.xxx.xxx.xxx:22 as 'target-user' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c,kex-strict-c-v00@openssh.com debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,3des-cbc,aes256-cbc,aes128-cbc debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,3des-cbc,aes256-cbc,aes128-cbc debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group14-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: diffie-hellman-group14-sha1 need=24 dh_need=20 debug1: kex: diffie-hellman-group14-sha1 need=24 dh_need=20 debug2: bits set: 1029/2048 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-rsa SHA256:NRWFuD+oFwE1DwCKaWEgVFBBXfz1+RaIHr78hGVJqwk debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key. debug1: Found key in /home/jump-user/.ssh/known_hosts:59 debug2: bits set: 1041/2048 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/jump-user/.ssh/id_rsa RSA SHA256:rnOD90OLjHDZDa+L0UJpdR9KEZBypsH9P16BMvX9BGg debug1: Will attempt key: /home/jump-user/.ssh/id_dsa debug1: Will attempt key: /home/jump-user/.ssh/id_ecdsa debug1: Will attempt key: /home/jump-user/.ssh/id_ed25519 debug1: Will attempt key: /home/jump-user/.ssh/id_xmss debug2: pubkey_prepare: done debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: Next authentication method: publickey debug1: Offering public key: /home/jump-user/.ssh/id_rsa RSA SHA256:rnOD90OLjHDZDa+L0UJpdR9KEZBypsH9P16BMvX9BGg debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: Trying private key: /home/jump-user/.ssh/id_dsa debug1: Trying private key: /home/jump-user/.ssh/id_ecdsa debug1: Trying private key: /home/jump-user/.ssh/id_ed25519 debug1: Trying private key: /home/jump-user/.ssh/id_xmss debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug1: Authentication succeeded (keyboard-interactive). Authenticated to xxx.xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:22). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug1: pledge: network debug2: channel_input_open_confirmation: channel 0: callback start debug2: fd 3 setting TCP_NODELAY debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug2: channel 0: request shell confirm 1 debug2: channel_input_open_confirmation: channel 0: callback done debug2: channel 0: open confirm rwindow 8192 rmax 4096 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0

The connection still fails: ``` 2026-04-21T07:44:27.115624Z DEBUG shellstation_lib::commands::session: Resolving credential profile for session session=12410fcd-5be2-47f2-84fd-75c9aaf15e85 profile_id=6ddb3722-59a7-41a5-bead-6118603277a2 2026-04-21T07:44:27.116134Z DEBUG shellstation_lib::commands::session: Credential profile resolved session=12410fcd-5be2-47f2-84fd-75c9aaf15e85 auth_type=password user=target-user 2026-04-21T07:44:27.116954Z DEBUG shellstation_lib::commands::session: Resolving jump hop hop=0 jump_id=a77665c5-7434-45b4-8079-895f6f7149ce host=xxx.xxx.xxx.xxx port=22 2026-04-21T07:44:27.117489Z DEBUG shellstation_lib::commands::session: Jump chain resolved total_hops=1 2026-04-21T07:44:27.133712Z INFO shellstation_lib::session_logger: Session log prepared (file created on first write) connection_id=94d8f206-633a-4e65-a7e9-3095b9edd438 path=G:\ShellStation\logs\ALS-VT02CI29-1__DHCPd__44-09_210426.log 2026-04-21T07:44:27.133727Z INFO shellstation_lib::ssh: Connecting via SSH session_id=94d8f206-633a-4e65-a7e9-3095b9edd438 host=yyy.yyy.yyy.yyy port=22 hops=1 legacy_algorithms=true 2026-04-21T07:44:27.133732Z DEBUG shellstation_lib::ssh: Starting jump host chain session_id="94d8f206-633a-4e65-a7e9-3095b9edd438" hops=1 2026-04-21T07:44:27.133747Z DEBUG shellstation_lib::ssh: SSH algorithm proposal legacy=true kex=mlkem768x25519-sha256, curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256, ext-info-c, ext-info-s, kex-strict-c-v00@openssh.com, kex-strict-s-v00@openssh.com, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 key=ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-rsa cipher=chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc mac=hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256, hmac-sha1-etm@openssh.com, hmac-sha1 compression=none, zlib, zlib@openssh.com 2026-04-21T07:44:27.156203Z DEBUG shellstation_lib::ssh: Server offered host key session_id=94d8f206-633a-4e65-a7e9-3095b9edd438-hop0 host=xxx.xxx.xxx.xxx port=22 key_type="ssh-ed25519" fingerprint=SHA256:Lar3VdceXLZu6SEt4k9H76c+OCYZXsqQwT4inxzd9ng 2026-04-21T07:44:27.157866Z DEBUG shellstation_lib::ssh: First hop connected session_id="94d8f206-633a-4e65-a7e9-3095b9edd438" hop=0 host=xxx.xxx.xxx.xxx 2026-04-21T07:44:27.157873Z DEBUG shellstation_lib::ssh: Authenticating SSH session session_id=94d8f206-633a-4e65-a7e9-3095b9edd438-hop0 auth_method=password 2026-04-21T07:44:27.157877Z DEBUG shellstation_lib::ssh: Attempting password authentication session_id=94d8f206-633a-4e65-a7e9-3095b9edd438-hop0 user=jump-user 2026-04-21T07:44:27.178504Z DEBUG shellstation_lib::ssh: Password auth result session_id=94d8f206-633a-4e65-a7e9-3095b9edd438-hop0 success=true 2026-04-21T07:44:27.178517Z INFO shellstation_lib::ssh: Jump host authenticated hop=0 host=xxx.xxx.xxx.xxx 2026-04-21T07:44:27.178522Z DEBUG shellstation_lib::ssh: Opening tunnel to final target session_id="94d8f206-633a-4e65-a7e9-3095b9edd438" host="yyy.yyy.yyy.yyy" port=22 2026-04-21T07:44:27.253859Z DEBUG shellstation_lib::ssh: SSH algorithm proposal legacy=true kex=mlkem768x25519-sha256, curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256, ext-info-c, ext-info-s, kex-strict-c-v00@openssh.com, kex-strict-s-v00@openssh.com, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 key=ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-rsa cipher=chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc mac=hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256, hmac-sha1-etm@openssh.com, hmac-sha1 compression=none, zlib, zlib@openssh.com 2026-04-21T07:44:27.363114Z ERROR shellstation_lib::ssh: SSH target handshake through tunnel failed host=yyy.yyy.yyy.yyy port=22 error=early eof error_debug=IO(Custom { kind: UnexpectedEof, error: "early eof" }) 2026-04-21T07:44:27.363125Z DEBUG shellstation_lib::ssh: Sanitizing SSH error for user display raw_error=early eof 2026-04-21T07:44:27.363139Z INFO shellstation_lib::session_logger: Session log closed (no data written, no file created) connection_id=94d8f206-633a-4e65-a7e9-3095b9edd438 ``` In compare the log of a successful connection from the jumphost directly: `$ ssh -vv target-user@xxx.xxx.xxx.xxx OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021 debug1: Reading configuration data /home/jump-user/.ssh/config debug1: /home/jump-user/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host xxx.xxx.xxx.xxx originally xxx.xxx.xxx.xxx debug2: match not found debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: configuration requests final Match pass debug2: resolve_canonicalize: hostname xxx.xxx.xxx.xxx is address debug1: re-parsing configuration debug1: Reading configuration data /home/jump-user/.ssh/config debug1: /home/jump-user/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host xxx.xxx.xxx.xxx originally xxx.xxx.xxx.xxx debug2: match found debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug2: ssh_connect_direct debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22. debug1: Connection established. debug1: identity file /home/jump-user/.ssh/id_rsa type 0 debug1: identity file /home/jump-user/.ssh/id_rsa-cert type -1 debug1: identity file /home/jump-user/.ssh/id_dsa type -1 debug1: identity file /home/jump-user/.ssh/id_dsa-cert type -1 debug1: identity file /home/jump-user/.ssh/id_ecdsa type -1 debug1: identity file /home/jump-user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/jump-user/.ssh/id_ed25519 type -1 debug1: identity file /home/jump-user/.ssh/id_ed25519-cert type -1 debug1: identity file /home/jump-user/.ssh/id_xmss type -1 debug1: identity file /home/jump-user/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.0 debug1: Remote protocol version 1.99, remote software version Cisco-1.25 debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to xxx.xxx.xxx.xxx:22 as 'target-user' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c,kex-strict-c-v00@openssh.com debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,3des-cbc,aes256-cbc,aes128-cbc debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,3des-cbc,aes256-cbc,aes128-cbc debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group14-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: diffie-hellman-group14-sha1 need=24 dh_need=20 debug1: kex: diffie-hellman-group14-sha1 need=24 dh_need=20 debug2: bits set: 1029/2048 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-rsa SHA256:NRWFuD+oFwE1DwCKaWEgVFBBXfz1+RaIHr78hGVJqwk debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key. debug1: Found key in /home/jump-user/.ssh/known_hosts:59 debug2: bits set: 1041/2048 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/jump-user/.ssh/id_rsa RSA SHA256:rnOD90OLjHDZDa+L0UJpdR9KEZBypsH9P16BMvX9BGg debug1: Will attempt key: /home/jump-user/.ssh/id_dsa debug1: Will attempt key: /home/jump-user/.ssh/id_ecdsa debug1: Will attempt key: /home/jump-user/.ssh/id_ed25519 debug1: Will attempt key: /home/jump-user/.ssh/id_xmss debug2: pubkey_prepare: done debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: Next authentication method: publickey debug1: Offering public key: /home/jump-user/.ssh/id_rsa RSA SHA256:rnOD90OLjHDZDa+L0UJpdR9KEZBypsH9P16BMvX9BGg debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: Trying private key: /home/jump-user/.ssh/id_dsa debug1: Trying private key: /home/jump-user/.ssh/id_ecdsa debug1: Trying private key: /home/jump-user/.ssh/id_ed25519 debug1: Trying private key: /home/jump-user/.ssh/id_xmss debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug1: Authentication succeeded (keyboard-interactive). Authenticated to xxx.xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:22). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug1: pledge: network debug2: channel_input_open_confirmation: channel 0: callback start debug2: fd 3 setting TCP_NODELAY debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug2: channel 0: request shell confirm 1 debug2: channel_input_open_confirmation: channel 0: callback done debug2: channel 0: open confirm rwindow 8192 rmax 4096 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0`
tux commented 2026-04-21 20:11:00 +02:00
Author
Owner
Copy link

Addressed in #12d3c6a

Addressed in #12d3c6a
tux commented 2026-04-21 22:05:50 +02:00
Author
Owner
Copy link

Resolved in release 0.10.1

Resolved in release [0.10.1](https://git.fiedler.live/tux/shellstation/releases/tag/v0.10.0)
tux closed this issue 2026-04-21 22:05:50 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.12.0
v0.11.4
v0.11.3
v0.11.2
v0.11.1
v0.11.0
v0.10.2
v0.10.1
v0.10.0
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
tux/shellstation#10
No description provided.