Ask a Question

Key exchange issues / Negotiation failed with fortigate firewalls

0 votes
by (120 points)

Hi,

I am a user of the Royal TS software, it uses the Rebex lib for ssh connections. It is having an issue connecting to recent fortigate firewalls using the Rebex plugin, where the putty plugin does not.

I am not one of their Devs, but they suggested I raise this with you.

I was able to replicate the issue using the Rebex SshSimpleShell client from your latest download

C:\Program Files (x86)\Rebex Components 7.0.8816\samples\bin>SshSimpleShell.exe  firewall aatest aatest
----------------------------------------------------------
Rebex Simple Shell - executes commands on the remote host.
----------------------------------------------------------
Note: Don't start commands that require user interaction.


Exception occured: Rebex.Net.SshException: Negotiation failed. ---> Rebex.Net.SshException: Negotiation failed. ---> System.Security.Cryptography.CryptographicException: Key algorithm is not supported.
   at Rebex.Net.SshPublicKey.gqwre(Byte[] p0, AsymmetricKeyAlgorithm& p1, Certificate& p2)
   at Rebex.Net.SshPublicKey.divvr(Byte[] p0, Boolean p1)
   at Rebex.Net.SshPublicKey..ctor(Byte[] data)
   at aymjo.twzoe.mdkoc(Byte[] p0, Byte[] p1, Byte[] p2, SshPublicKey& p3)
   at aymjo.titvo.oeszi(SshSession p0, Byte[] p1, Byte[] p2, Byte[] p3, Byte[] p4, niwfh& p5, Byte[]& p6, SshPublicKey& p7)
   at Rebex.Net.SshSession.ltzha(Byte[] p0)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.ltzha(Byte[] p0)
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Ssh.wrpur.auiqz(rwpaa p0, Boolean p1)
   at Rebex.Net.Ssh.xbjoa(String p0, Int32 p1, SshParameters p2, rwpaa p3)
   --- End of inner exception stack trace ---
   at Rebex.Net.Ssh.xbjoa(String p0, Int32 p1, SshParameters p2, rwpaa p3)
   at Rebex.Net.Ssh.ccolm(String p0, Int32 p1, SshParameters p2)
   at Rebex.Samples.SimpleShell.Main(String[] args)

C:\Program Files (x86)\Rebex Components 7.0.8816\samples\bin>

The fortigate firewall only seems to accept specific kex algos.

ssh-audit firewall
# general
(gen) banner: SSH-2.0-HffViQRqgmW_
(gen) compatibility: OpenSSH 7.2+, Dropbear SSH 2013.62+
(gen) compression: enabled (zlib@openssh.com)

# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
                                            `- [info] default key exchange since OpenSSH 6.4

# host-key algorithms
(key) rsa-sha2-512 (2048-bit)               -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
                                            `- [info] available since OpenSSH 7.2
(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-gcm@openssh.com                -- [info] available since OpenSSH 6.2

# message authentication code algorithms
(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC mode
                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-256-etm@openssh.com         -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC mode
                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512-etm@openssh.com         -- [info] available since OpenSSH 6.2

The RTS software has the options in the GUI to specify the KEX algorithms to use.

In v6 of the software, if I disable all the Host Key algorithms except for ed25519, I can make a valid connection (I've asked them what rebex version thsy use here)

In v7 of the software, if I disable all the Host Key algorithms except for ed25519, I fail to make a connection

2024-02-27 12:36:14.931 INFO Ssh(105)[47] Info: Connecting to firewall:22 using Ssh.
2024-02-27 12:36:14.931 INFO Ssh(105)[47] Info: Assembly: Rebex.SshShell 7.0.8755 for .NET 8.0
2024-02-27 12:36:14.931 INFO Ssh(105)[47] Info: Platform: Windows 11 (Build 20348) 64-bit; CLR: .NET 8.0.0
2024-02-27 12:36:14.943 INFO Ssh(105)[47] SSH: Negotiation started.
2024-02-27 12:36:14.983 ERROR Ssh(105)[47] SSH: Negotiation failed. Key algorithm is not supported.
2024-02-27 12:36:14.983 ERROR Ssh(105)[47] Info: Rebex.Net.SshException: Negotiation failed.
 ---> System.Security.Cryptography.CryptographicException: Key algorithm is not supported.
   at Rebex.Net.SshPublicKey.rrqul(Byte[] p0, AsymmetricKeyAlgorithm& p1, Certificate& p2)
   at Rebex.Net.SshPublicKey.skukd(Byte[] p0, Boolean p1)
   at Rebex.Net.SshPublicKey..ctor(Byte[] data)
   at ioqcn.qovtg.irajm(Byte[] p0, Byte[] p1, Byte[] p2, SshPublicKey& p3)
   at ioqcn.pshbb.rnmbl(SshSession p0, Byte[] p1, Byte[] p2, Byte[] p3, Byte[] p4, zopvy& p5, Byte[]& p6, SshPublicKey& p7)
   at Rebex.Net.SshSession.pfylg(Byte[] p0)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.pfylg(Byte[] p0)
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Ssh.tgdur.zsblg(zmezg p0, Boolean p1)
   at Rebex.Net.Ssh.qvwcl(String p0, Int32 p1, SshParameters p2, zmezg p3)

I hope this makes sense, let me know if you have any questions.

Cheers
Aftab

Applies to: Rebex SFTP, Rebex Terminal Emulation

1 Answer

0 votes
by (144k points)
edited by

The Rebex error message indicates that the key algorithm string, received in the encoded SSH public key, is incorrect. For ed25519, it should be "ssh-ed25519", but that was apparently not the case.
A log from Rebex Ssh object at LogLevel.Verbose would contain the raw SSH public key and make it possible to tell whether this is actually the case. However, we have no idea how to create such logs with RoyalTS.

Update: According to the verbose log, this is indeed caused by a server-side bug.
The log shows that when "rsa-sha2-512" host key algorithm has been negotiated, the server responds with a wrongly-encoded SSH public key that identifies the key format as "rsa-sha2-512" instead of "ssh-rsa". That violates the specification in RFC 8332 which says:

Since RSA keys are not dependent on the choice of hash function, the
new public key algorithms reuse the "ssh-rsa" public key format as
defined in [RFC4253]:

string    "ssh-rsa"
mpint     e
mpint     n

And then it repeats that requirement once more:

If one of the two host key algorithms is
negotiated, the server sends an "ssh-rsa" public key as part of the
negotiated key exchange method (e.g., in SSH_MSG_KEXDH_REPLY) and
encodes a signature with the appropriate signature algorithm name --
either "rsa-sha2-256" or "rsa-sha2-512"

But the server you are trying to connect to uses "rsa-sha2-512" for both the public key and the signature algorithm name.

Therefore, this is clearly a server-side issue. If the current version of the server is still affected, it should be reported to the server vendor. As a temporary workaround, disable "rsa-sha2-256" and "rsa-sha2-512" host key algorithms with affected servers.

by (120 points)
relevant sshd debug lines from the server:

Rebex in RTS v7 only allowing Host Key algo ed25519:

    SSH: SSH2_MSG_KEXINIT sent
    SSH: SSH2_MSG_KEXINIT received
    SSH: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org
    SSH: kex_parse_kexinit: rsa-sha2-512,ssh-ed25519
    SSH: kex_parse_kexinit: aes256-ctr,aes256-gcm@openssh.com
    SSH: kex_parse_kexinit: aes256-ctr,aes256-gcm@openssh.com
    SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    SSH: kex_parse_kexinit: none,zlib@openssh.com
    SSH: kex_parse_kexinit: none,zlib@openssh.com
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit: first_kex_follows 0
    SSH: kex_parse_kexinit: reserved 0
    SSH: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellm
    SSH: kex_parse_kexinit: rsa-sha2-256,ssh-rsa-sha256@ssh.com,rsa-sha2-512,ssh-rsa,x509v3-rsa2048-sha256,x509v3-sign-rsa-sha256@ssh.com,x509v3-sign-rsa,x509v3-sign-dss,ssh-ed25519,ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,x509v3-ecdsa-sh
    SSH: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,3des-ctr,twofish256-ctr,twofish192-ctr,twofish128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,twofish256-cbc,twofish192-cbc,t
    SSH: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,3des-ctr,twofish256-ctr,twofish192-ctr,twofish128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,twofish256-cbc,twofish192-cbc,t
    SSH: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha1
    SSH: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha1
    SSH: kex_parse_kexinit: none,zlib,zlib@openssh.com
    SSH: kex_parse_kexinit: none,zlib,zlib@openssh.com
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit: first_kex_follows 0
    SSH: kex_parse_kexinit: reserved 0
    SSH: kex: host key algorithm: rsa-sha2-512
    SSH: kex: client->server aes256-gcm@openssh.com <implicit> none
    SSH: kex: server->client aes256-gcm@openssh.com <implicit> none
    SSH: expecting SSH2_MSG_KEX_ECDH_INIT
    SSH: set_newkeys: mode 1
    SSH: SSH2_MSG_NEWKEYS sent
    SSH: expecting SSH2_MSG_NEWKEYS
    SSH: error: Received disconnect from 10.0.0.141: 2: Internal error
    SSH: Disconnected from 10.0.0.141


Rebex in RTS v6 only allowing Host Key algo ed25519

    SSH: SSH2_MSG_KEXINIT sent
    SSH: SSH2_MSG_KEXINIT received
    SSH: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org
    SSH: kex_parse_kexinit: rsa-sha2-512,ssh-ed25519
    SSH: kex_parse_kexinit: aes256-ctr,aes256-gcm@openssh.com
    SSH: kex_parse_kexinit: aes256-ctr,aes256-gcm@openssh.com
    SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    SSH: kex_parse_kexinit: none,zlib@openssh.com
    SSH: kex_parse_kexinit: none,zlib@openssh.com
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit: first_kex_follows 0
    SSH: kex_parse_kexinit: reserved 0
    SSH: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffi
    SSH: kex_parse_kexinit: ssh-ed25519
    SSH: kex_parse_kexinit: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,3des-ctr,twofish256-ctr,twofish192-ctr,twofish128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,chacha20-poly130
    SSH: kex_parse_kexinit: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,3des-ctr,twofish256-ctr,twofish192-ctr,twofish128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,chacha20-poly130
    SSH: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha1
    SSH: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha1
    SSH: kex_parse_kexinit: none,zlib,zlib@openssh.com
    SSH: kex_parse_kexinit: none,zlib,zlib@openssh.com
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit: first_kex_follows 0
    SSH: kex_parse_kexinit: reserved 0
    SSH: kex: host key algorithm: ssh-ed25519
    SSH: kex: client->server aes256-gcm@openssh.com <implicit> none
    SSH: kex: server->client aes256-gcm@openssh.com <implicit> none
    SSH: expecting SSH2_MSG_KEX_ECDH_INIT
    SSH: set_newkeys: mode 1
    SSH: SSH2_MSG_NEWKEYS sent
    SSH: expecting SSH2_MSG_NEWKEYS
    SSH: set_newkeys: mode 0
    SSH: SSH2_MSG_NEWKEYS received
    SSH: KEX done



Putty:

    SSH: SSH2_MSG_KEXINIT sent
    SSH: SSH2_MSG_KEXINIT received
    SSH: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org
    SSH: kex_parse_kexinit: rsa-sha2-512,ssh-ed25519
    SSH: kex_parse_kexinit: aes256-ctr,aes256-gcm@openssh.com
    SSH: kex_parse_kexinit: aes256-ctr,aes256-gcm@openssh.com
    SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    SSH: kex_parse_kexinit: none,zlib@openssh.com
    SSH: kex_parse_kexinit: none,zlib@openssh.com
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit: first_kex_follows 0
    SSH: kex_parse_kexinit: reserved 0
    SSH: kex_parse_kexinit: sntrup761x25519-sha512@openssh.com,curve448-sha512,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-he
    SSH: kex_parse_kexinit: ssh-ed25519,ssh-ed448,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
    SSH: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
    SSH: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
    SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com
    SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com
    SSH: kex_parse_kexinit: none,zlib,zlib@openssh.com
    SSH: kex_parse_kexinit: none,zlib,zlib@openssh.com
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit:
    SSH: kex_parse_kexinit: first_kex_follows 0
    SSH: kex_parse_kexinit: reserved 0
    SSH: kex: host key algorithm: ssh-ed25519
    SSH: kex: client->server aes256-ctr hmac-sha2-256 none
    SSH: kex: server->client aes256-ctr hmac-sha2-256 none
    SSH: expecting SSH2_MSG_KEX_ECDH_INIT
    SSH: set_newkeys: mode 1
    SSH: SSH2_MSG_NEWKEYS sent
    SSH: expecting SSH2_MSG_NEWKEYS
    SSH: set_newkeys: mode 0
    SSH: SSH2_MSG_NEWKEYS received
    SSH: KEX done
by (120 points)
i'm starting to think its their implementation,

If I set LogLevel to DEBUG3 on a linux servers sshd_config, i get:


v7 only allowing Host Key algo ed25519
Feb 28 12:52:26 linuxserver sshd[3405]: debug2: host key algorithms: ssh-dss,rsa-sha2-256,ssh-rsa-sha256@ssh.com,rsa-sha2-512,ssh-rsa,x509v3-rsa2048-sha256,x509v3-sign-rsa-sha256@ssh.com,x509v3-sign-rsa,x509v3-sign-dss,ssh-ed25519,ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp521 [preauth]

v6 only allowing Host Key algo ed25519
Feb 28 12:52:50 linuxserver sshd[4148]: debug2: host key algorithms: ssh-ed25519 [preauth]
by (120 points)
Verbose logging from Royal TS


2024-02-28 13:28:20.616 INFO Ssh(194)[33] Info: Connecting to firewall:22 using Ssh.
2024-02-28 13:28:20.616 INFO Ssh(194)[33] Info: Assembly: Rebex.SshShell 7.0.8755 for .NET 8.0
2024-02-28 13:28:20.616 INFO Ssh(194)[33] Info: Platform: Windows 11 (Build 20348) 64-bit; CLR: .NET 8.0.0
2024-02-28 13:28:21.289 INFO Ssh(194)[33] SSH: Negotiation started.
2024-02-28 13:28:21.327 ERROR Ssh(194)[33] SSH: Negotiation failed. Key algorithm is not supported.
2024-02-28 13:28:21.327 ERROR Ssh(194)[33] Info: Rebex.Net.SshException: Negotiation failed.
 ---> System.Security.Cryptography.CryptographicException: Key algorithm is not supported.
   at Rebex.Net.SshPublicKey.rrqul(Byte[] p0, AsymmetricKeyAlgorithm& p1, Certificate& p2)
   at Rebex.Net.SshSession.pfylg(Byte[] p0)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.pfylg(Byte[] p0)
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Ssh.tgdur.zsblg(zmezg p0, Boolean p1)
   at Rebex.Net.Ssh.qvwcl(String p0, Int32 p1, SshParameters p2, zmezg p3)
by (144k points)
I am sorry, but none of these logs is going to shed more light onto the issue, because they don't not contain the raw SSH public key (which the error message suggests is wrong). Would it be possible to create a client-side log at LogLevel.Verbose level, showing the content of the SSH negotiation packets? Get in touch with the Royal TS team to learn how to create a suitable log.
by (120 points)
Is this what you need?

Logging on v7 seems to be flawed,


this is from their v6 implementation


2024-02-28 13:31:27.950 INFO Ssh(56)[15] Info: Connecting to uk-ni-fg-t03:22 using Ssh.
2024-02-28 13:31:27.951 INFO Ssh(56)[15] Info: Assembly: Rebex.SshShell R6.13 for .NET 6.0
2024-02-28 13:31:27.951 INFO Ssh(56)[15] Info: Platform: Windows 10.0.14393 64-bit; CLR: .NET 6.0.18
2024-02-28 13:31:27.951 DEBUG Ssh(56)[15] Info: Culture: iv; windows-1252
2024-02-28 13:31:27.951 DEBUG Ssh(56)[15] Proxy: Resolving 'uk-ni-fg-t03'.
2024-02-28 13:31:28.636 DEBUG Ssh(56)[15] Proxy: Connecting to 10.0.0.14:22 (no proxy).
2024-02-28 13:31:28.638 DEBUG Ssh(56)[15] Proxy: Connection established.
2024-02-28 13:31:28.639 VERBOSE Ssh(56)[15] SSH: Sending data:
 0000 |53-53-48-2D-32-2E-30-2D 52-65-62-65-78-53-53-48| SSH-2.0-RebexSSH
 0010 |5F-35-2E-30-2E-38-35-35 38-2E-30-0D-0A         | _5.0.8558.0..
2024-02-28 13:31:28.643 VERBOSE Ssh(56)[15] SSH: Received data:
 0000 |53-53-48-2D-32-2E-30-2D 48-66-66-56-69-51-52-71| SSH-2.0-HffViQRq
 0010 |67-6D-57-5F-0D-0A                              | gmW_..
2024-02-28 13:31:28.643 DEBUG Ssh(56)[15] SSH: Server is 'SSH-2.0-HffViQRqgmW_'.
2024-02-28 13:31:28.643 INFO Ssh(56)[15] SSH: Negotiation started.
2024-02-28 13:31:28.644 VERBOSE Ssh(56)[15] SSH: Sending packet SSH_MSG_KEXINIT (1439 bytes).
 0000 |14-BC-97-0E-C2-99-62-A7 A5-DF-37-04-09-86-28-38| ......b...7...(8
 0010 |5F-00-00-01-4B-63-75-72 76-65-32-35-35-31-39-2D| _...Kcurve25519-
 0020 |73-68-61-32-35-36-2C-63 75-72-76-65-32-35-35-31| sha256,curve2551
 0030 |39-2D-73-68-61-32-35-36 40-6C-69-62-73-73-68-2E| 9-sha256@libssh.
 0040 |6F-72-67-2C-65-63-64-68 2D-73-68-61-32-2D-6E-69| org,ecdh-sha2-ni
 0050 |73-74-70-32-35-36-2C-65 63-64-68-2D-73-68-61-32| stp256,ecdh-sha2
 0060 |2D-6E-69-73-74-70-33-38 34-2C-65-63-64-68-2D-73| -nistp384,ecdh-s
 0070 |68-61-32-2D-6E-69-73-74 70-35-32-31-2C-64-69-66| ha2-nistp521,dif
 0080 |66-69-65-2D-68-65-6C-6C 6D-61-6E-2D-67-72-6F-75| fie-hellman-grou
 0090 |70-2D-65-78-63-68-61-6E 67-65-2D-73-68-61-32-35| p-exchange-sha25
 00A0 |36-2C-64-69-66-66-69-65 2D-68-65-6C-6C-6D-61-6E| 6,diffie-hellman
 00B0 |2D-67-72-6F-75-70-31-34 2D-73-68-61-32-35-36-2C| -group14-sha256,
 00C0 |64-69-66-66-69-65-2D-68 65-6C-6C-6D-61-6E-2D-67| diffie-hellman-g
 00D0 |72-6F-75-70-31-35-2D-73 68-61-35-31-32-2C-64-69| roup15-sha512,di
 00E0 |66-66-69-65-2D-68-65-6C 6C-6D-61-6E-2D-67-72-6F| ffie-hellman-gro
 00F0 |75-70-31-36-2D-73-68-61 35-31-32-2C-64-69-66-66| up16-sha512,diff
 0100 |69-65-2D-68-65-6C-6C-6D 61-6E-2D-67-72-6F-75-70| ie-hellman-group
 0110 |2D-65-78-63-68-61-6E-67 65-2D-73-68-61-31-2C-64| -exchange-sha1,d
 0120 |69-66-66-69-65-2D-68-65 6C-6C-6D-61-6E-2D-67-72| iffie-hellman-gr
 0130 |6F-75-70-31-34-2D-73-68 61-31-2C-64-69-66-66-69| oup14-sha1,diffi
 0140 |65-2D-68-65-6C-6C-6D-61 6E-2D-67-72-6F-75-70-31| e-hellman-group1
 0150 |2D-73-68-61-31-2C-65-78 74-2D-69-6E-66-6F-2D-63| -sha1,ext-info-c
 0160 |00-00-01-2E-73-73-68-2D 64-73-73-2C-72-73-61-2D| ....ssh-dss,rsa-
 0170 |73-68-61-32-2D-32-35-36 2C-73-73-68-2D-72-73-61| sha2-256,ssh-rsa
 0180 |2D-73-68-61-32-35-36-40 73-73-68-2E-63-6F-6D-2C| -sha256@ssh.com,
 0190 |72-73-61-2D-73-68-61-32 2D-35-31-32-2C-73-73-68| rsa-sha2-512,ssh
 01A0 |2D-72-73-61-2C-78-35-30 39-76-33-2D-72-73-61-32| -rsa,x509v3-rsa2
 01B0 |30-34-38-2D-73-68-61-32 35-36-2C-78-35-30-39-76| 048-sha256,x509v
 01C0 |33-2D-73-69-67-6E-2D-72 73-61-2D-73-68-61-32-35| 3-sign-rsa-sha25
 01D0 |36-40-73-73-68-2E-63-6F 6D-2C-78-35-30-39-76-33| 6@ssh.com,x509v3
 01E0 |2D-73-69-67-6E-2D-72-73 61-2C-78-35-30-39-76-33| -sign-rsa,x509v3
 01F0 |2D-73-69-67-6E-2D-64-73 73-2C-73-73-68-2D-65-64| -sign-dss,ssh-ed
 0200 |32-35-35-31-39-2C-65-63 64-73-61-2D-73-68-61-32| 25519,ecdsa-sha2
 0210 |2D-6E-69-73-74-70-32-35 36-2C-78-35-30-39-76-33| -nistp256,x509v3
 0220 |2D-65-63-64-73-61-2D-73 68-61-32-2D-6E-69-73-74| -ecdsa-sha2-nist
 0230 |70-32-35-36-2C-65-63-64 73-61-2D-73-68-61-32-2D| p256,ecdsa-sha2-
 0240 |6E-69-73-74-70-33-38-34 2C-78-35-30-39-76-33-2D| nistp384,x509v3-
 0250 |65-63-64-73-61-2D-73-68 61-32-2D-6E-69-73-74-70| ecdsa-sha2-nistp
 0260 |33-38-34-2C-65-63-64-73 61-2D-73-68-61-32-2D-6E| 384,ecdsa-sha2-n
 0270 |69-73-74-70-35-32-31-2C 78-35-30-39-76-33-2D-65| istp521,x509v3-e
 0280 |63-64-73-61-2D-73-68-61 32-2D-6E-69-73-74-70-35| cdsa-sha2-nistp5
 0290 |32-31-00-00-00-F9-61-65 73-32-35-36-2D-67-63-6D| 21....aes256-gcm
 02A0 |40-6F-70-65-6E-73-73-68 2E-63-6F-6D-2C-61-65-73| @openssh.com,aes
 02B0 |31-32-38-2D-67-63-6D-40 6F-70-65-6E-73-73-68-2E| 128-gcm@openssh.
 02C0 |63-6F-6D-2C-61-65-73-32 35-36-2D-63-74-72-2C-61| com,aes256-ctr,a
 02D0 |65-73-31-39-32-2D-63-74 72-2C-61-65-73-31-32-38| es192-ctr,aes128
 02E0 |2D-63-74-72-2C-33-64-65 73-2D-63-74-72-2C-74-77| -ctr,3des-ctr,tw
 02F0 |6F-66-69-73-68-32-35-36 2D-63-74-72-2C-74-77-6F| ofish256-ctr,two
 0300 |66-69-73-68-31-39-32-2D 63-74-72-2C-74-77-6F-66| fish192-ctr,twof
 0310 |69-73-68-31-32-38-2D-63 74-72-2C-61-65-73-32-35| ish128-ctr,aes25
 0320 |36-2D-63-62-63-2C-61-65 73-31-39-32-2D-63-62-63| 6-cbc,aes192-cbc
 0330 |2C-61-65-73-31-32-38-2D 63-62-63-2C-33-64-65-73| ,aes128-cbc,3des
 0340 |2D-63-62-63-2C-74-77-6F 66-69-73-68-32-35-36-2D| -cbc,twofish256-
 0350 |63-62-63-2C-74-77-6F-66 69-73-68-31-39-32-2D-63| cbc,twofish192-c
 0360 |62-63-2C-74-77-6F-66-69 73-68-31-32-38-2D-63-62| bc,twofish128-cb
 0370 |63-2C-63-68-61-63-68-61 32-30-2D-70-6F-6C-79-31| c,chacha20-poly1
 0380 |33-30-35-40-6F-70-65-6E 73-73-68-2E-63-6F-6D-00| 305@openssh.com.
 0390 |00-00-F9-61-65-73-32-35 36-2D-67-63-6D-40-6F-70| ...aes256-gcm@op
 03A0 |65-6E-73-73-68-2E-63-6F 6D-2C-61-65-73-31-32-38| enssh.com,aes128
 03B0 |2D-67-63-6D-40-6F-70-65 6E-73-73-68-2E-63-6F-6D| -gcm@openssh.com
 03C0 |2C-61-65-73-32-35-36-2D 63-74-72-2C-61-65-73-31| ,aes256-ctr,aes1
 03D0 |39-32-2D-63-74-72-2C-61 65-73-31-32-38-2D-63-74| 92-ctr,aes128-ct
 03E0 |72-2C-33-64-65-73-2D-63 74-72-2C-74-77-6F-66-69| r,3des-ctr,twofi
 03F0 |73-68-32-35-36-2D-63-74 72-2C-74-77-6F-66-69-73| sh256-ctr,twofis
 0400 |68-31-39-32-2D-63-74-72 2C-74-77-6F-66-69-73-68| h192-ctr,twofish
 0410 |31-32-38-2D-63-74-72-2C 61-65-73-32-35-36-2D-63| 128-ctr,aes256-c
 0420 |62-63-2C-61-65-73-31-39 32-2D-63-62-63-2C-61-65| bc,aes192-cbc,ae
 0430 |73-31-32-38-2D-63-62-63 2C-33-64-65-73-2D-63-62| s128-cbc,3des-cb
 0440 |63-2C-74-77-6F-66-69-73 68-32-35-36-2D-63-62-63| c,twofish256-cbc
 0450 |2C-74-77-6F-66-69-73-68 31-39-32-2D-63-62-63-2C| ,twofish192-cbc,
 0460 |74-77-6F-66-69-73-68-31 32-38-2D-63-62-63-2C-63| twofish128-cbc,c
 0470 |68-61-63-68-61-32-30-2D 70-6F-6C-79-31-33-30-35| hacha20-poly1305
 0480 |40-6F-70-65-6E-73-73-68 2E-63-6F-6D-00-00-00-61| @openssh.com...a
 0490 |68-6D-61-63-2D-73-68-61 32-2D-32-35-36-2D-65-74| hmac-sha2-256-et
 04A0 |6D-40-6F-70-65-6E-73-73 68-2E-63-6F-6D-2C-68-6D| m@openssh.com,hm
 04B0 |61-63-2D-73-68-61-32-2D 32-35-36-2C-68-6D-61-63| ac-sha2-256,hmac
 04C0 |2D-73-68-61-32-2D-35-31 32-2D-65-74-6D-40-6F-70| -sha2-512-etm@op
 04D0 |65-6E-73-73-68-2E-63-6F 6D-2C-68-6D-61-63-2D-73| enssh.com,hmac-s
 04E0 |68-61-32-2D-35-31-32-2C 68-6D-61-63-2D-73-68-61| ha2-512,hmac-sha
 04F0 |31-00-00-00-61-68-6D-61 63-2D-73-68-61-32-2D-32| 1...ahmac-sha2-2
 0500 |35-36-2D-65-74-6D-40-6F 70-65-6E-73-73-68-2E-63| 56-etm@openssh.c
 0510 |6F-6D-2C-68-6D-61-63-2D 73-68-61-32-2D-32-35-36| om,hmac-sha2-256
 0520 |2C-68-6D-61-63-2D-73-68 61-32-2D-35-31-32-2D-65| ,hmac-sha2-512-e
 0530 |74-6D-40-6F-70-65-6E-73 73-68-2E-63-6F-6D-2C-68| tm@openssh.com,h
 0540 |6D-61-63-2D-73-68-61-32 2D-35-31-32-2C-68-6D-61| mac-sha2-512,hma
 0550 |63-2D-73-68-61-31-00-00 00-1A-6E-6F-6E-65-2C-7A| c-sha1....none,z
 0560 |6C-69-62-2C-7A-6C-69-62 40-6F-70-65-6E-73-73-68| lib,zlib@openssh
 0570 |2E-63-6F-6D-00-00-00-1A 6E-6F-6E-65-2C-7A-6C-69| .com....none,zli
 0580 |62-2C-7A-6C-69-62-40-6F 70-65-6E-73-73-68-2E-63| b,zlib@openssh.c
 0590 |6F-6D-00-00-00-00-00-00 00-00-00-00-00-00-00   | om.............
2024-02-28 13:31:28.645 VERBOSE Ssh(56)[63] SSH: Received packet SSH_MSG_KEXINIT (433 bytes).
 0000 |14-3C-D8-59-87-82-B3-C8 E2-BF-46-3C-1C-8B-94-CC| .<.Y......F<....
 0010 |5B-00-00-00-41-64-69-66 66-69-65-2D-68-65-6C-6C| [...Adiffie-hell
 0020 |6D-61-6E-2D-67-72-6F-75 70-2D-65-78-63-68-61-6E| man-group-exchan
 0030 |67-65-2D-73-68-61-32-35 36-2C-63-75-72-76-65-32| ge-sha256,curve2
 0040 |35-35-31-39-2D-73-68-61 32-35-36-40-6C-69-62-73| 5519-sha256@libs
 0050 |73-68-2E-6F-72-67-00-00 00-18-72-73-61-2D-73-68| sh.org....rsa-sh
 0060 |61-32-2D-35-31-32-2C-73 73-68-2D-65-64-32-35-35| a2-512,ssh-ed255
 0070 |31-39-00-00-00-21-61-65 73-32-35-36-2D-63-74-72| 19...!aes256-ctr
 0080 |2C-61-65-73-32-35-36-2D 67-63-6D-40-6F-70-65-6E| ,aes256-gcm@open
 0090 |73-73-68-2E-63-6F-6D-00 00-00-21-61-65-73-32-35| ssh.com...!aes25
 00A0 |36-2D-63-74-72-2C-61-65 73-32-35-36-2D-67-63-6D| 6-ctr,aes256-gcm
 00B0 |40-6F-70-65-6E-73-73-68 2E-63-6F-6D-00-00-00-57| @openssh.com...W
 00C0 |68-6D-61-63-2D-73-68-61 32-2D-32-35-36-2C-68-6D| hmac-sha2-256,hm
 00D0 |61-63-2D-73-68-61-32-2D 32-35-36-2D-65-74-6D-40| ac-sha2-256-etm@
 00E0 |6F-70-65-6E-73-73-68-2E 63-6F-6D-2C-68-6D-61-63| openssh.com,hmac
 00F0 |2D-73-68-61-32-2D-35-31 32-2C-68-6D-61-63-2D-73| -sha2-512,hmac-s
 0100 |68-61-32-2D-35-31-32-2D 65-74-6D-40-6F-70-65-6E| ha2-512-etm@open
 0110 |73-73-68-2E-63-6F-6D-00 00-00-57-68-6D-61-63-2D| ssh.com...Whmac-
 0120 |73-68-61-32-2D-32-35-36 2C-68-6D-61-63-2D-73-68| sha2-256,hmac-sh
 0130 |61-32-2D-32-35-36-2D-65 74-6D-40-6F-70-65-6E-73| a2-256-etm@opens
 0140 |73-68-2E-63-6F-6D-2C-68 6D-61-63-2D-73-68-61-32| sh.com,hmac-sha2
 0150 |2D-35-31-32-2C-68-6D-61 63-2D-73-68-61-32-2D-35| -512,hmac-sha2-5
 0160 |31-32-2D-65-74-6D-40-6F 70-65-6E-73-73-68-2E-63| 12-etm@openssh.c
 0170 |6F-6D-00-00-00-15-6E-6F 6E-65-2C-7A-6C-69-62-40| om....none,zlib@
 0180 |6F-70-65-6E-73-73-68-2E 63-6F-6D-00-00-00-15-6E| openssh.com....n
 0190 |6F-6E-65-2C-7A-6C-69-62 40-6F-70-65-6E-73-73-68| one,zlib@openssh
 01A0 |2E-63-6F-6D-00-00-00-00 00-00-00-00-00-00-00-00| .com............
 01B0 |00                                             | .
by (120 points)
2024-02-28 13:31:28.645 DEBUG Ssh(56)[15] SSH: Negotiating key.
2024-02-28 13:31:28.645 VERBOSE Ssh(56)[15] SSH: Sending packet SSH_MSG_KEX_30 (37 bytes).
 0000 |1E-00-00-00-20-D1-13-A8 5B-5D-DC-9F-68-E8-60-DB| .... ...[]..h.`.
 0010 |C6-96-41-32-14-2C-1C-4C 15-69-30-48-4A-B9-D7-96| ..A2.,.L.i0HJ...
 0020 |9A-F0-B3-C2-4E                                 | ....N
2024-02-28 13:31:28.681 VERBOSE Ssh(56)[63] SSH: Received packet SSH_MSG_KEX_31 (605 bytes).
 0000 |1F-00-00-01-1C-00-00-00 0C-72-73-61-2D-73-68-61| .........rsa-sha
 0010 |32-2D-35-31-32-00-00-00 03-01-00-01-00-00-01-01| 2-512...........
 0020 |00-F7-EE-92-B9-E8-5E-D2 F2-77-5B-F5-D7-C6-80-0C| ......^..w[.....
 0030 |EC-89-8E-83-1A-52-EB-CA E2-12-86-CD-E9-0F-EC-AB| .....R..........
 0040 |24-D9-CC-84-A1-A7-6B-F1 F3-B4-A8-83-F8-62-DE-3E| $.....k......b.>
 0050 |5A-58-61-C4-D9-FE-7E-17 2D-13-EA-15-DB-12-D7-5B| ZXa...~.-......[
 0060 |45-6C-65-82-E6-C3-26-15 D4-5F-8B-89-A3-EA-E5-68| Ele...&.._.....h
 0070 |15-A6-DC-69-1D-A5-33-54 B5-E2-F6-8A-3B-63-E5-EF| ...i..3T....;c..
 0080 |2A-AD-3D-DA-F4-2F-7F-E1 81-45-07-60-9F-B0-9E-7C| *.=../...E.`...|
 0090 |59-AA-A3-F0-F7-59-78-9E 28-80-DE-75-03-9E-E8-70| Y....Yx.(..u...p
 00A0 |49-CB-4D-3E-BB-4D-C6-4A B0-C5-87-14-DF-CF-F6-9F| I.M>.M.J........
 00B0 |F9-23-4A-59-A8-51-18-1F 35-42-B4-A7-72-6E-40-69| .#JY.Q..5B..rn@i
 00C0 |6F-59-52-F4-70-49-CC-C1 8F-9E-62-EC-64-8E-DE-B0| oYR.pI....b.d...
 00D0 |68-7D-73-D7-33-73-5B-FA E8-FE-A8-27-D1-46-9C-F3| h}s.3s[....'.F..
 00E0 |73-30-89-2F-79-3F-FA-C2 1C-CD-76-EF-71-2A-E1-D7| s0./y?....v.q*..
 00F0 |AE-95-39-8D-41-12-B3-F7 47-4A-0D-E9-0F-8B-C5-11| ..9.A...GJ......
 0100 |CE-4A-6A-6E-26-CA-D0-47 60-1F-BE-0B-A2-B4-D2-C3| .Jjn&..G`.......
 0110 |05-4E-B7-CD-AA-51-1F-58 02-92-29-77-E7-C5-97-FE| .N...Q.X..)w....
 0120 |25-00-00-00-20-55-0E-C8 23-AE-90-A1-49-F9-7C-5C| %... U..#...I.|\
 0130 |A0-1B-2B-94-1D-79-70-FD E8-44-0E-8C-E5-BE-7A-26| ..+..yp..D....z&
 0140 |19-40-A9-27-77-00-00-01 14-00-00-00-0C-72-73-61| .@.'w........rsa
 0150 |2D-73-68-61-32-2D-35-31 32-00-00-01-00-3E-E9-D0| -sha2-512....>..
 0160 |98-FA-4A-D4-B7-2A-AB-4B 95-A0-66-6B-70-99-6C-09| ..J..*.K..fkp.l.
 0170 |54-E4-EB-08-9F-7A-63-FD 19-C5-A3-57-A6-DB-E3-57| T....zc....W...W
 0180 |E2-EF-0E-74-8C-5D-6D-01 A3-45-4A-FA-02-43-0E-37| ...t.]m..EJ..C.7
 0190 |77-4F-DD-D8-73-F6-14-35 D6-59-05-CE-0B-54-04-12| wO..s..5.Y...T..
 01A0 |24-54-6C-80-74-D9-31-B0 11-34-FC-17-52-C6-33-AA| $Tl.t.1..4..R.3.
 01B0 |C8-84-78-AB-5F-59-D5-B2 76-82-1A-D5-60-4C-B2-1C| ..x._Y..v...`L..
 01C0 |A2-32-99-D7-85-05-FC-04 2B-DB-8D-F0-90-A6-F4-FC| .2......+.......
 01D0 |B1-53-95-63-4B-00-D4-50 60-49-8B-79-FD-3F-C0-9A| .S.cK..P`I.y.?..
 01E0 |EA-B5-53-5D-D2-E5-DD-06 2F-35-E7-E5-98-48-92-79| ..S]..../5...H.y
 01F0 |67-7F-1E-56-77-A1-39-26 8A-C6-29-2F-CB-12-5E-13| g..Vw.9&..)/..^.
 0200 |F9-A7-D8-7B-80-B5-F0-38 0E-EB-D0-6C-B1-E7-2D-9C| ...{...8...l..-.
 0210 |07-30-0A-0F-AD-8F-AF-83 3F-73-06-BD-41-FA-E3-5F| .0......?s..A.._
 0220 |66-2D-14-EB-F7-B7-15-76 E5-33-C9-AE-27-BD-6D-24| f-.....v.3..'.m$
 0230 |F3-27-B3-7C-28-31-9F-B3 9B-EB-48-F3-4A-F1-2D-0D| .'.|(1....H.J.-.
 0240 |52-80-55-9D-61-F2-F3-F0 9B-43-1A-F8-07-C2-A2-08| R.U.a....C......
 0250 |A5-1D-A2-32-83-03-5D-CA DE-AF-5D-16-7E         | ...2..]...].~
2024-02-28 13:31:28.681 VERBOSE Ssh(56)[63] SSH: Received packet SSH_MSG_NEWKEYS (1 bytes).
 0000 |15                                             | .
2024-02-28 13:31:28.682 DEBUG Ssh(56)[15] SSH: Validating 'rsa-sha2-512' signature.
2024-02-28 13:31:28.682 ERROR Ssh(56)[15] SSH: Negotiation failed. Key algorithm is not supported.
2024-02-28 13:31:28.682 VERBOSE Ssh(56)[15] SSH: Sending packet SSH_MSG_DISCONNECT (27 bytes).
 0000 |01-00-00-00-02-00-00-00 0E-49-6E-74-65-72-6E-61| .........Interna
 0010 |6C-20-65-72-72-6F-72-00 00-00-00               | l error....
2024-02-28 13:31:28.713 ERROR Ssh(56)[15] Info: Rebex.Net.SshException: Negotiation failed.
 ---> System.Security.Cryptography.CryptographicException: Key algorithm is not supported.
   at Rebex.Net.SshPublicKey.bkgja(Byte[] p0, AsymmetricKeyAlgorithm& p1, Certificate& p2)
   at Rebex.Net.SshPublicKey.sacip(Byte[] p0)
   at Rebex.Net.SshPublicKey..ctor(Byte[] data)
   at sljnw.dzbpn.eupdx(Byte[] p0, Byte[] p1, Byte[] p2, SshPublicKey& p3)
   at sljnw.jvrwd.fuxix(SshSession p0, Byte[] p1, Byte[] p2, Byte[] p3, Byte[] p4, cjxed& p5, Byte[]& p6, SshPublicKey& p7)
   at Rebex.Net.SshSession.wlsti(Byte[] p0)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.wlsti(Byte[] p0)
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Ssh.gvayy.dfilj(dwgbi p0, Boolean p1)
   at Rebex.Net.Ssh.yteur(String p0, Int32 p1, SshParameters p2, dwgbi p3)
by (120 points)
above are logs from a failing connection..


these are logs from when I enforce only Host Key algo ed25519


2024-02-28 13:44:22.656 INFO Ssh(58)[61] Info: Connecting to firewall:22 using Ssh.
2024-02-28 13:44:22.657 INFO Ssh(58)[61] Info: Assembly: Rebex.SshShell R6.13 for .NET 6.0
2024-02-28 13:44:22.657 INFO Ssh(58)[61] Info: Platform: Windows 10.0.14393 64-bit; CLR: .NET 6.0.18
2024-02-28 13:44:22.657 DEBUG Ssh(58)[61] Info: Culture: iv; windows-1252
2024-02-28 13:44:22.658 DEBUG Ssh(58)[61] Proxy: Resolving 'firewall'.
2024-02-28 13:44:22.669 DEBUG Ssh(58)[61] Proxy: Connecting to 10.0.0.14:22 (no proxy).
2024-02-28 13:44:22.671 DEBUG Ssh(58)[61] Proxy: Connection established.
2024-02-28 13:44:22.671 VERBOSE Ssh(58)[61] SSH: Sending data:
 0000 |53-53-48-2D-32-2E-30-2D 52-65-62-65-78-53-53-48| SSH-2.0-RebexSSH
 0010 |5F-35-2E-30-2E-38-35-35 38-2E-30-0D-0A         | _5.0.8558.0..
2024-02-28 13:44:22.676 VERBOSE Ssh(58)[61] SSH: Received data:
 0000 |53-53-48-2D-32-2E-30-2D 48-66-66-56-69-51-52-71| SSH-2.0-HffViQRq
 0010 |67-6D-57-5F-0D-0A                              | gmW_..
2024-02-28 13:44:22.676 DEBUG Ssh(58)[61] SSH: Server is 'SSH-2.0-HffViQRqgmW_'.
2024-02-28 13:44:22.676 INFO Ssh(58)[61] SSH: Negotiation started.
2024-02-28 13:44:22.676 VERBOSE Ssh(58)[61] SSH: Sending packet SSH_MSG_KEXINIT (1148 bytes).
 0000 |14-2D-F4-9D-54-AD-5F-78 40-FD-4E-36-60-F5-AB-0B| .-..T._x@.N6`...
 0010 |E8-00-00-01-4B-63-75-72 76-65-32-35-35-31-39-2D| ....Kcurve25519-
 0020 |73-68-61-32-35-36-2C-63 75-72-76-65-32-35-35-31| sha256,curve2551
 0030 |39-2D-73-68-61-32-35-36 40-6C-69-62-73-73-68-2E| 9-sha256@libssh.
 0040 |6F-72-67-2C-65-63-64-68 2D-73-68-61-32-2D-6E-69| org,ecdh-sha2-ni
 0050 |73-74-70-32-35-36-2C-65 63-64-68-2D-73-68-61-32| stp256,ecdh-sha2
 0060 |2D-6E-69-73-74-70-33-38 34-2C-65-63-64-68-2D-73| -nistp384,ecdh-s
 0070 |68-61-32-2D-6E-69-73-74 70-35-32-31-2C-64-69-66| ha2-nistp521,dif
 0080 |66-69-65-2D-68-65-6C-6C 6D-61-6E-2D-67-72-6F-75| fie-hellman-grou
 0090 |70-2D-65-78-63-68-61-6E 67-65-2D-73-68-61-32-35| p-exchange-sha25
 00A0 |36-2C-64-69-66-66-69-65 2D-68-65-6C-6C-6D-61-6E| 6,diffie-hellman
 00B0 |2D-67-72-6F-75-70-31-34 2D-73-68-61-32-35-36-2C| -group14-sha256,
 00C0 |64-69-66-66-69-65-2D-68 65-6C-6C-6D-61-6E-2D-67| diffie-hellman-g
 00D0 |72-6F-75-70-31-35-2D-73 68-61-35-31-32-2C-64-69| roup15-sha512,di
 00E0 |66-66-69-65-2D-68-65-6C 6C-6D-61-6E-2D-67-72-6F| ffie-hellman-gro
 00F0 |75-70-31-36-2D-73-68-61 35-31-32-2C-64-69-66-66| up16-sha512,diff
 0100 |69-65-2D-68-65-6C-6C-6D 61-6E-2D-67-72-6F-75-70| ie-hellman-group
 0110 |2D-65-78-63-68-61-6E-67 65-2D-73-68-61-31-2C-64| -exchange-sha1,d
 0120 |69-66-66-69-65-2D-68-65 6C-6C-6D-61-6E-2D-67-72| iffie-hellman-gr
 0130 |6F-75-70-31-34-2D-73-68 61-31-2C-64-69-66-66-69| oup14-sha1,diffi
 0140 |65-2D-68-65-6C-6C-6D-61 6E-2D-67-72-6F-75-70-31| e-hellman-group1
 0150 |2D-73-68-61-31-2C-65-78 74-2D-69-6E-66-6F-2D-63| -sha1,ext-info-c
 0160 |00-00-00-0B-73-73-68-2D 65-64-32-35-35-31-39-00| ....ssh-ed25519.
 0170 |00-00-F9-61-65-73-32-35 36-2D-67-63-6D-40-6F-70| ...aes256-gcm@op
 0180 |65-6E-73-73-68-2E-63-6F 6D-2C-61-65-73-31-32-38| enssh.com,aes128
 0190 |2D-67-63-6D-40-6F-70-65 6E-73-73-68-2E-63-6F-6D| -gcm@openssh.com
 01A0 |2C-61-65-73-32-35-36-2D 63-74-72-2C-61-65-73-31| ,aes256-ctr,aes1
 01B0 |39-32-2D-63-74-72-2C-61 65-73-31-32-38-2D-63-74| 92-ctr,aes128-ct
 01C0 |72-2C-33-64-65-73-2D-63 74-72-2C-74-77-6F-66-69| r,3des-ctr,twofi
 01D0 |73-68-32-35-36-2D-63-74 72-2C-74-77-6F-66-69-73| sh256-ctr,twofis
 01E0 |68-31-39-32-2D-63-74-72 2C-74-77-6F-66-69-73-68| h192-ctr,twofish
 01F0 |31-32-38-2D-63-74-72-2C 61-65-73-32-35-36-2D-63| 128-ctr,aes256-c
 0200 |62-63-2C-61-65-73-31-39 32-2D-63-62-63-2C-61-65| bc,aes192-cbc,ae
 0210 |73-31-32-38-2D-63-62-63 2C-33-64-65-73-2D-63-62| s128-cbc,3des-cb
 0220 |63-2C-74-77-6F-66-69-73 68-32-35-36-2D-63-62-63| c,twofish256-cbc
 0230 |2C-74-77-6F-66-69-73-68 31-39-32-2D-63-62-63-2C| ,twofish192-cbc,
 0240 |74-77-6F-66-69-73-68-31 32-38-2D-63-62-63-2C-63| twofish128-cbc,c
 0250 |68-61-63-68-61-32-30-2D 70-6F-6C-79-31-33-30-35| hacha20-poly1305
 0260 |40-6F-70-65-6E-73-73-68 2E-63-6F-6D-00-00-00-F9| @openssh.com....
 0270 |61-65-73-32-35-36-2D-67 63-6D-40-6F-70-65-6E-73| aes256-gcm@opens
 0280 |73-68-2E-63-6F-6D-2C-61 65-73-31-32-38-2D-67-63| sh.com,aes128-gc
 0290 |6D-40-6F-70-65-6E-73-73 68-2E-63-6F-6D-2C-61-65| m@openssh.com,ae
 02A0 |73-32-35-36-2D-63-74-72 2C-61-65-73-31-39-32-2D| s256-ctr,aes192-
 02B0 |63-74-72-2C-61-65-73-31 32-38-2D-63-74-72-2C-33| ctr,aes128-ctr,3
 02C0 |64-65-73-2D-63-74-72-2C 74-77-6F-66-69-73-68-32| des-ctr,twofish2
 02D0 |35-36-2D-63-74-72-2C-74 77-6F-66-69-73-68-31-39| 56-ctr,twofish19
 02E0 |32-2D-63-74-72-2C-74-77 6F-66-69-73-68-31-32-38| 2-ctr,twofish128
 02F0 |2D-63-74-72-2C-61-65-73 32-35-36-2D-63-62-63-2C| -ctr,aes256-cbc,
 0300 |61-65-73-31-39-32-2D-63 62-63-2C-61-65-73-31-32| aes192-cbc,aes12
 0310 |38-2D-63-62-63-2C-33-64 65-73-2D-63-62-63-2C-74| 8-cbc,3des-cbc,t
 0320 |77-6F-66-69-73-68-32-35 36-2D-63-62-63-2C-74-77| wofish256-cbc,tw
 0330 |6F-66-69-73-68-31-39-32 2D-63-62-63-2C-74-77-6F| ofish192-cbc,two
 0340 |66-69-73-68-31-32-38-2D 63-62-63-2C-63-68-61-63| fish128-cbc,chac
 0350 |68-61-32-30-2D-70-6F-6C 79-31-33-30-35-40-6F-70| ha20-poly1305@op
 0360 |65-6E-73-73-68-2E-63-6F 6D-00-00-00-61-68-6D-61| enssh.com...ahma
 0370 |63-2D-73-68-61-32-2D-32 35-36-2D-65-74-6D-40-6F| c-sha2-256-etm@o
 0380 |70-65-6E-73-73-68-2E-63 6F-6D-2C-68-6D-61-63-2D| penssh.com,hmac-
 0390 |73-68-61-32-2D-32-35-36 2C-68-6D-61-63-2D-73-68| sha2-256,hmac-sh
 03A0 |61-32-2D-35-31-32-2D-65 74-6D-40-6F-70-65-6E-73| a2-512-etm@opens
 03B0 |73-68-2E-63-6F-6D-2C-68 6D-61-63-2D-73-68-61-32| sh.com,hmac-sha2
 03C0 |2D-35-31-32-2C-68-6D-61 63-2D-73-68-61-31-00-00| -512,hmac-sha1..
 03D0 |00-61-68-6D-61-63-2D-73 68-61-32-2D-32-35-36-2D| .ahmac-sha2-256-
 03E0 |65-74-6D-40-6F-70-65-6E 73-73-68-2E-63-6F-6D-2C| etm@openssh.com,
 03F0 |68-6D-61-63-2D-73-68-61 32-2D-32-35-36-2C-68-6D| hmac-sha2-256,hm
 0400 |61-63-2D-73-68-61-32-2D 35-31-32-2D-65-74-6D-40| ac-sha2-512-etm@
 0410 |6F-70-65-6E-73-73-68-2E 63-6F-6D-2C-68-6D-61-63| openssh.com,hmac
 0420 |2D-73-68-61-32-2D-35-31 32-2C-68-6D-61-63-2D-73| -sha2-512,hmac-s
 0430 |68-61-31-00-00-00-1A-6E 6F-6E-65-2C-7A-6C-69-62| ha1....none,zlib
 0440 |2C-7A-6C-69-62-40-6F-70 65-6E-73-73-68-2E-63-6F| ,zlib@openssh.co
 0450 |6D-00-00-00-1A-6E-6F-6E 65-2C-7A-6C-69-62-2C-7A| m....none,zlib,z
 0460 |6C-69-62-40-6F-70-65-6E 73-73-68-2E-63-6F-6D-00| lib@openssh.com.
 0470 |00-00-00-00-00-00-00-00 00-00-00-00            | ............
2024-02-28 13:44:22.677 VERBOSE Ssh(58)[19] SSH: Received packet SSH_MSG_KEXINIT (433 bytes).
 0000 |14-EF-AC-03-45-D3-22-28 82-A3-D2-C1-D7-C8-38-63| ....E."(......8c
 0010 |C0-00-00-00-41-64-69-66 66-69-65-2D-68-65-6C-6C| ....Adiffie-hell
 0020 |6D-61-6E-2D-67-72-6F-75 70-2D-65-78-63-68-61-6E| man-group-exchan
 0030 |67-65-2D-73-68-61-32-35 36-2C-63-75-72-76-65-32| ge-sha256,curve2
 0040 |35-35-31-39-2D-73-68-61 32-35-36-40-6C-69-62-73| 5519-sha256@libs
 0050 |73-68-2E-6F-72-67-00-00 00-18-72-73-61-2D-73-68| sh.org....rsa-sh
 0060 |61-32-2D-35-31-32-2C-73 73-68-2D-65-64-32-35-35| a2-512,ssh-ed255
 0070 |31-39-00-00-00-21-61-65 73-32-35-36-2D-63-74-72| 19...!aes256-ctr
 0080 |2C-61-65-73-32-35-36-2D 67-63-6D-40-6F-70-65-6E| ,aes256-gcm@open
 0090 |73-73-68-2E-63-6F-6D-00 00-00-21-61-65-73-32-35| ssh.com...!aes25
 00A0 |36-2D-63-74-72-2C-61-65 73-32-35-36-2D-67-63-6D| 6-ctr,aes256-gcm
 00B0 |40-6F-70-65-6E-73-73-68 2E-63-6F-6D-00-00-00-57| @openssh.com...W
 00C0 |68-6D-61-63-2D-73-68-61 32-2D-32-35-36-2C-68-6D| hmac-sha2-256,hm
 00D0 |61-63-2D-73-68-61-32-2D 32-35-36-2D-65-74-6D-40| ac-sha2-256-etm@
 00E0 |6F-70-65-6E-73-73-68-2E 63-6F-6D-2C-68-6D-61-63| openssh.com,hmac
 00F0 |2D-73-68-61-32-2D-35-31 32-2C-68-6D-61-63-2D-73| -sha2-512,hmac-s
 0100 |68-61-32-2D-35-31-32-2D 65-74-6D-40-6F-70-65-6E| ha2-512-etm@open
 0110 |73-73-68-2E-63-6F-6D-00 00-00-57-68-6D-61-63-2D| ssh.com...Whmac-
 0120 |73-68-61-32-2D-32-35-36 2C-68-6D-61-63-2D-73-68| sha2-256,hmac-sh
 0130 |61-32-2D-32-35-36-2D-65 74-6D-40-6F-70-65-6E-73| a2-256-etm@opens
 0140 |73-68-2E-63-6F-6D-2C-68 6D-61-63-2D-73-68-61-32| sh.com,hmac-sha2
 0150 |2D-35-31-32-2C-68-6D-61 63-2D-73-68-61-32-2D-35| -512,hmac-sha2-5
 0160 |31-32-2D-65-74-6D-40-6F 70-65-6E-73-73-68-2E-63| 12-etm@openssh.c
 0170 |6F-6D-00-00-00-15-6E-6F 6E-65-2C-7A-6C-69-62-40| om....none,zlib@
 0180 |6F-70-65-6E-73-73-68-2E 63-6F-6D-00-00-00-15-6E| openssh.com....n
 0190 |6F-6E-65-2C-7A-6C-69-62 40-6F-70-65-6E-73-73-68| one,zlib@openssh
 01A0 |2E-63-6F-6D-00-00-00-00 00-00-00-00-00-00-00-00| .com............
 01B0 |00                                             | .
2024-02-28 13:44:22.678 DEBUG Ssh(58)[61] SSH: Negotiating key.
2024-02-28 13:44:22.678 VERBOSE Ssh(58)[61] SSH: Sending packet SSH_MSG_KEX_30 (37 bytes).
 0000 |1E-00-00-00-20-78-3F-A7 59-5B-DB-B6-33-9B-9A-17| .... x?.Y[..3...
 0010 |22-26-EB-BE-1F-8B-96-66 08-79-F9-6B-6C-F8-16-9D| "&.....f.y.kl...
 0020 |C3-5C-BE-08-5C                                 | .\..\
2024-02-28 13:44:22.713 VERBOSE Ssh(58)[19] SSH: Received packet SSH_MSG_KEX_31 (179 bytes).
 0000 |1F-00-00-00-33-00-00-00 0B-73-73-68-2D-65-64-32| ....3....ssh-ed2
 0010 |35-35-31-39-00-00-00-20 0A-C7-8D-80-D7-11-B5-04| 5519... ........
 0020 |BE-42-B4-1B-F9-07-9E-2C 5D-1E-C9-F6-1B-46-30-43| .B.....,]....F0C
 0030 |2D-C7-CF-77-7C-71-04-34 00-00-00-20-D9-D8-7D-0B| -..w|q.4... ..}.
 0040 |55-8C-A3-18-E3-00-53-1C 86-41-65-DE-AC-E8-BF-D1| U.....S..Ae.....
 0050 |F0-1E-6A-BA-5D-E8-0B-06 4A-8F-80-37-00-00-00-53| ..j.]...J..7...S
 0060 |00-00-00-0B-73-73-68-2D 65-64-32-35-35-31-39-00| ....ssh-ed25519.
 0070 |00-00-40-C7-D7-F3-6D-2E 60-4E-FB-25-56-32-E6-A2| ..@...m.`N.%V2..
 0080 |99-FD-A8-04-47-0C-D7-E4 69-26-2B-64-F7-67-B0-D5| ....G...i&+d.g..
 0090 |C1-83-CE-FD-81-9A-F8-31 90-26-0A-09-F1-6C-53-7A| .......1.&...lSz
 00A0 |70-6F-96-4C-3C-64-C0-C1 5F-26-C1-56-69-D9-6D-56| po.L<d.._&.Vi.mV
 00B0 |FD-04-0F                                       | ...
2024-02-28 13:44:22.713 VERBOSE Ssh(58)[19] SSH: Received packet SSH_MSG_NEWKEYS (1 bytes).
 0000 |15                                             | .
2024-02-28 13:44:22.713 DEBUG Ssh(58)[61] SSH: Validating 'ssh-ed25519' signature.
2024-02-28 13:44:22.716 VERBOSE Ssh(58)[61] SSH: Sending packet SSH_MSG_NEWKEYS (1 bytes).
 0000 |15                                             | .
2024-02-28 13:44:22.716 INFO Ssh(58)[61] SSH: Negotiation finished.
2024-02-28 13:44:22.716 DEBUG Ssh(58)[19] SSH: Server supports extension negotiation.
ytes).
 0000 |07-00-00-00-01-00-00-00 0F-73-65-72-76-65-72-2D| .........server-
 0010 |73-69-67-2D-61-6C-67-73 00-00-00-19-72-73-61-2D| sig-algs....rsa-
 0020 |73-68-61-32-2D-32-35-36 2C-72-73-61-2D-73-68-61| sha2-256,rsa-sha
 0030 |32-2D-35-31-32                                 | 2-512
2024-02-28 13:44:22.716 DEBUG Ssh(58)[19] SSH: Server supports extension negotiation.
2024-02-28 13:44:22.716 INFO Ssh(58)[61] Info: Cipher info: SSH 2.0, curve25519-sha256@libssh.org, ssh-ed25519, aes256-gcm@openssh.com/aes256-gcm@openssh.com
by (144k points)
Thanks, that's the log we needed. It confirms that this is a server-side issue - I have updated my first response with details: https://forum.rebex.net/22697/exchange-issues-negotiation-failed-with-fortigate-firewalls?show=22698#a22698
by (120 points)
thank you, i'll see if I can get this raised with FortiNet
...