SSH: unable to connect to ssh server using kex algorithm diffie-hellman-group1-sha1

[Clem-Fern]

Version: nightly (since 2f1c388, electron version update to 25.x.x) (since 555d3c8, ssh2 version update to 1.14.0)
Platform: tested on Windows, Linux
Plugins: none

Describe the problem:
Since this commit 2f1c388 (electron version update to 25.x.x) 555d3c8 (ssh2 version update to 1.14.0), I'm not able to connect to Cisco device using kex algorithm diffie-hellman-group1-sha1.

 SSH  Connecting to x.x.x.x
 SSH   !  Agent auth selected, but no running agent is detected
 X  Unknown DH group

No error in Tabby's log.
Logs I collected on Cisco side:

2986948: Aug 16 11:56:58.211: SSH1: starting SSH control process
2986949: Aug 16 11:56:58.211: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
2986950: Aug 16 11:56:58.216: SSH1: protocol version id is - SSH-2.0-ssh2js1.14.0
2986951: Aug 16 11:56:58.216: SSH2 1: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
2986952: Aug 16 11:56:58.216: SSH2 1: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
2986953: Aug 16 11:56:58.216: SSH2 1: send:packet of  length 368 (length also includes padlen of 5)
2986954: Aug 16 11:56:58.217: SSH2 1: SSH2_MSG_KEXINIT sent
2986955: Aug 16 11:56:58.220: SSH2 1: ssh_receive: 536 bytes received
2986956: Aug 16 11:56:58.220: SSH2 1: input: total packet length of 1344 bytes
2986957: Aug 16 11:56:58.220: SSH2 1: partial packet length(block size)8 bytes,needed 1336 bytes,maclen 0
2986958: Aug 16 11:56:58.220: SSH2 1: ssh_receive: 536 bytes received
2986959: Aug 16 11:56:58.220: SSH2 1: partial packet length(block size)8 bytes,needed 1336 bytes,maclen 0
2986960: Aug 16 11:56:58.220: SSH2 1: ssh_receive: 272 bytes received
2986961: Aug 16 11:56:58.220: SSH2 1: partial packet length(block size)8 bytes,needed 1336 bytes, maclen 0
2986962: Aug 16 11:56:58.220: SSH2 1: input: padlength 11 bytes
2986963: Aug 16 11:56:58.220: SSH2 1: SSH2_MSG_KEXINIT received
2986964: Aug 16 11:56:58.220: SSH2 1: kex: client->server enc:3des-cbc mac:hmac-sha1
2986965: Aug 16 11:56:58.220: SSH2 1: kex: server->client enc:3des-cbc mac:hmac-sha1
2986966: Aug 16 11:56:58.220: SSH2 1: Using kex_algo = diffie-hellman-group1-sha1
2986967: Aug 16 11:56:58.228: SSH2 1: expecting SSH2_MSG_KEXDH_INIT
2986968: Aug 16 11:56:58.244: SSH2 1: SSH ERROR closing the connection
2986969: Aug 16 11:56:58.244: SSH2 1: send:packet of  length 72 (length also includes padlen of 7)
2986970: Aug 16 11:56:58.245: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from x.x.x.x
2986971: Aug 16 11:56:58.341: SSH1: Session disconnected - error 0x00

To Reproduce:

1. Setup a Cisco switch/router which offer diffie-hellman-group1-sha1 kex algorithm (tested on Cisco IOS 12.2(55)SE10 & IOS-XE 03.06.05.E version)
2. Try to connect to the device with tabby
3. You should notice the error sent above

I didn't have the time to test connection with diffie-hellman-group1-sha1 kex on other ssh server than Cisco yet. I also take a quick view on ssh2 issues but didn't found any which could be related to this problem. I will try to do more tests and collect more info in the next few days.

[Clem-Fern]

Just tested with SSH-2.0-OpenSSH_9.3p2 Debian-1, same problem.

To Reproduce:

1. Add new line KexAlgorithms diffie-hellman-group1-sha1 to your /etc/ssh/sshd_config file
2. Try to connect to the server with Tabby (with diffie-hellman-group1-sha1 in Profile > Ciphers > Key exchange of course)
3. Receving : X Unknown DH group

Sadly, it seems to be a Tabby issue. I tried to connect to my openssh server with the snippet bellow in a freshly created node project and I didn't encountered any error:

const { Client } = require('ssh2');
const { createDiffieHellmanGroup } = require('crypto')

const algo = {
    kex: ['diffie-hellman-group1-sha1'],
}

try {
    createDiffieHellmanGroup('modp2');
    console.log('DH modp2 OK')
} catch (error) {
    console.log('DH modp2 NOK')
    console.log(error)
}
//console: DH modp2 OK

const conn = new Client();
conn.on('ready', () => {
    console.log('Client :: ready');
    conn.exec('uptime', (err, stream) => {
        if (err) throw err;
        stream.on('close', (code, signal) => {
            console.log('Stream :: close :: code: ' + code + ', signal: ' + signal);
            conn.end();
        }).on('data', (data) => {
            console.log('STDOUT: ' + data);
        }).stderr.on('data', (data) => {
            console.log('STDERR: ' + data);
        });
    });
}).connect({
    host: 'localhost',
    port: 22,
    username: 'clem',
    password: 'clem',
    algorithms: algo,
    debug(information) {
        console.debug(information)
    },
});

If I understand well, this error is returned by the function createDiffieHellmanGroup from the crypto module. This function is called by ssh2 on client key exchange with the group name modp2 (group name corresponding to diffie-hellman-group1-sha1). I was thinking about some deprecated key algo in my node version. But all my tests were done with node v18.17.1 and we can see that modp2 group does exist:

https://github.com/nodejs/node/blob/2e414d5d1082233c3516fca923fe351d5186c80e/src/crypto/crypto_dh.cc#L217-L252

[Clem-Fern]

I apologize, I was clearly inexact about the faulty commit...
This problem is caused by updating electron version in 2f1c388. It has in fact nothing to do with ssh2.

With the PR #8707, electron version was updated from the major release 22.x.x to 25.x.x. The node version used by electron was bumped from node v16 to v18 between these two electron releases (cf. electron-timelines)

In node v18, a part of the crypto DH module was rewrite to now use MODP groups from OpenSSL helper functions instead of getting them from a header file in the crypto module itself (cf. nodejs/node#43896).
As electron uses BoringSSL and BoringSSL does not give helper functions for modp1/modp2, electron provides a patch which, among other things, removes the reference to theses groups from the crypto module. (cf. corresponding patch file, electron chore: upgrade to Node.js v18 electron/electron#35999)

@@ -219,8 +214,10 @@ typedef BignumPointer (*StandardizedGroupInstantiator)();
 inline StandardizedGroupInstantiator FindDiffieHellmanGroup(const char* name) {
 #define V(n, p)                                                                \
   if (StringEqualNoCase(name, n)) return InstantiateStandardizedGroup<p>
+#ifndef OPENSSL_IS_BORINGSSL
   V("modp1", BN_get_rfc2409_prime_768);
   V("modp2", BN_get_rfc2409_prime_1024); // -> modp2 used by diffie-hellman-group1-sha1
+#endif
   V("modp5", BN_get_rfc3526_prime_1536);
   V("modp14", BN_get_rfc3526_prime_2048);
   V("modp15", BN_get_rfc3526_prime_3072);

What I describe above is the only thing I found which could explain the encountered problem with diffie-hellman-group1-sha1 on tabby. I tried to add as much information as possible but this is a bit out of my league, hope I'm not wrong ^^'

[Eugeny]

Dang, this looks really bad for switch admins. I don't see any way to work around this without switching the ssh implementation :(

[Clem-Fern]

Could it be possible to build Tabby against a custom electron repo?
Theoretically, we could add the BN_get_rfc2409_prime_1024 constant directly in the electron patch. Based on the commit history, this part concerned in this patch does not seem to change a lot except on node major release change.

It's really not the greatest solution, but it could be a mid-term work around to give a bit more of time to think about a definitive solution.

[Eugeny]

Getting an own electron fork going and working with electron-builder would be hell, but I've at least filed a ticket with a possible solution: electron/electron#39603

[Clem-Fern]

Oh great ! Thank's :D
I hope that electron team will be receptive about this

[Clem-Fern]

Arf.... I just saw electron answer :/

[Clem-Fern]

Thank you so much, this issue was really a hard blow and an absolute nightmare for me <3