Ssh connection php

Hello!
It’s probably off-topic, but I’m not sure if its an error from nethserver that has a known fix

I’m trying to connect to nethserver via ssh in php code.
I can connect via terminal but via the .php I cannot make it work, since the server does not accept the encryption methods used by default (I’m assuming).

Seeing Status of ssh in a correct connection via terminal it says:
pam_listfile(sshd:auth): Refused user *me* for service sshd
But also says Accepted keyboard-interactive/pam for *me*, so I’m able to use the session and run commands in terminal.
(I’m not sure if it is normal or is the reason that php fails)

When using the php to conect the error is, for example:
Unable to negotiate with 172.20.1.1 port 58666: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
I already tried to change these methods, but it is always refused.

If you wish to see the php, it’s basically the same as the answer from Steve Kamerman.

Thanks for anyone that reads!

Have a great day,
Joel

Hi Joel,

I see the answer from the link above is 10 years old. As the client returns a negotiation error I’d suggest to tune the PHP SSH connection parameters on the client side.

On the contrary, if you want to make an attempt by changing the server config, try to enable sshd weak ciphers from the System > SSH page: Base system — NethServer 7 Final

Sorry I wasn’t clear,
I changed the methods to the ones outputed in ssh me@my-nethserver -vv, which gave:

debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
debug2: host key algorithms: ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

which changes the code $method to either one of the bellow:

$methods = [
    'kex' => 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c',
    'hostkey' => 'ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa',
    'client_to_server' => [
        'crypt' => 'chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com',
        'comp' => 'none'
    ],
    'server_to_client' => [
        'crypt' => 'chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com',
        'comp' => 'none'
    ]
];

Which fails, giving the error:
ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys on the php
and no matching key exchange method found. Their offer: curve25519-sha256@ecdh-sha2-necdh-shaecdh-sha2-ndiffie-hdiffie-hellman-group16-sha512ddiffie-hellman-group14-sha256 [preauth] on sshd service status.

$methods = [
    'kex' => 'curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512',
    'hostkey' => 'ssh-ed25519',
    'client_to_server' => [
      'crypt' => 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com',
      'comp' => 'none'
    ],
    'server_to_client' => [
      'crypt' => 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com',
      'comp' => 'none'
    ]
];

Gives the error: ssh2_connect(): Failed overriding HOSTKEY method

$methods = [
    'kex' => 'curve25519-sha256',
    'hostkey' => 'ssh-ed25519',
    'client_to_server' => [
    'crypt' => 'chacha20-poly1305@openssh.com',
    'comp' => 'none'
    ],
    'server_to_client' => [
    'crypt' => 'chacha20-poly1305@openssh.com',
    'comp' => 'none'
    ]
];

Gives the errors:

ssh2_connect(): Failed overriding KEX method
ssh2_connect(): Failed overriding HOSTKEY method
ssh2_connect(): Failed overriding client to server CRYPT method
ssh2_connect(): Failed overriding server to client CRYPT method

Am I doing something wrong? I assumed that the first one should work.

Is the client running on NethServer itself?

The client side might be lacking some ciphers: check the library versions PHP: Requirements - Manual

I enabled connections to ssh from OVPN, and I am testing locally. The server isn’t in production yet.
I am able to connect via terminal so all should be working, right?

libssh2 version is 1.8.0 which is superior to the required.
openssl is OpenSSL 1.1.1f 31 Mar 2020.