Sudden Putty Connection Issue

[djtech2k]

Yes, I have reinstalled 0.82 several times and also tried the dev version. The same version works on my other laptop and used to work on this one.

 

[djtech2k]

Ok, I think I found it. My "working" laptop is using putty 0.81. My "non-working" laptop is 0.82. I tried the exe for 0.81 on the "non-working" laptop and it connected.

So for some reason, putty 0.82 will not connect to my AsusWRT running RMerlin. Now my router is running a quite old version so maybe there is a compat issue between the new putty and my old RMerlin firmware.

 

[Digilog]

Ok, I think I found it. My "working" laptop is using putty 0.81. My "non-working" laptop is 0.82. I tried the exe for 0.81 on the "non-working" laptop and it connected.

So for some reason, putty 0.82 will not connect to my AsusWRT running RMerlin. Now my router is running a quite old version so maybe there is a compat issue between the new putty and my old RMerlin firmware.

Well there are a few keys they discontinued. What I find interesting the server usually replies to the client:

Unable to negotiate with legacyhost: no matching host key type found. Their offer: [outdated key name]

We can debug the server, however you should flash the router to a modern version because the old version of beardrop SSH server has bugs and issues.

 

[RMerlin]

Dec 4 13:48:06 dropbear[14732]: Exit before auth from <192.168.x.x:53823>: No matching algo kex

Your Putty client does not support any of the key exchange protocols supported by your router. You can view supported KEX with the OpenSSH client:

ssh -vvv myserver.lan

Then look for something like this:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,kexguess2@matt.ucc.asn.au,kex-strict-s-v00@openssh.com

One of these reported by your router need to be supported by your Putty client. See if Putty lets you enable/disable them. I don't use Putty, so I'm not familiar with what configuration options it offers.

 

[djtech2k]

Not sure how to do that. Here is a shot of both putty versions with the Kex options and they look identical.

I also ran the command you sent and the closest line I found to what you posted was "debug1: kex: algorithm: curve25519-sha256". That was run from the ssh command on my laptop pointing to my Asus router.

 

[djtech2k]

Well there are a few keys they discontinued. What I find interesting the server usually replies to the client:

Unable to negotiate with legacyhost: no matching host key type found. Their offer: [outdated key name]

We can debug the server, however you should flash the router to a modern version because the old version of beardrop SSH server has bugs and issues.

I would but I intend to replace this thing soon. It is SOOOO old. It has been great for a long time. I have fallen behind so many times and had to reflash and start over, which I hate doing, so I am trying something else soon. For right now, I need to keep this running until I get the new hardware and get it built/configured.

 

[bennor]

What firmware version are you running on the router?

No issues with using the latest version of Putty (0.82) to access two separate RT-AC68U's, one running latest Asus stock the other running latest Asus-Merlin:
RT-AC68U - 3.0.0.4.386_51722
RT-AC68U - 386.14_2

As a troubleshooting step if you haven't done so already, remove the saved entry (if there is one) for the router and recreate it using Putty's default values. Or disable SSH in the router GUI, reboot the router, then reenable it as a troubleshooting step.

Got the usual Putty Security Alert at first connect to both due to the host key being incorrect (reset both routers in the past). Example alert attached (I hit the Accept button on the alert).

Post edited

 

[djtech2k]

What firmware version are you running on the router?

No issues with using the latest version of Putty (0.82) to access two separate RT-AC68U's, one running latest Asus stock the other running latest Asus-Merlin:
RT-AC68U - 3.0.0.4.386_51722
RT-AC68U - 386.14_2

As a troubleshooting step if you haven't done so already, remove the saved entry (if there is one) for the router and recreate it using Putty's default values. Or disable SSH in the router GUI, reboot the router, then reenable it as a troubleshooting step.

Got the usual Putty Security Alert at first connect to both due to the host key being incorrect (reset both routers in the past). Example alert attached (I hit the Accept button on the alert).

Post edited

I am running v384.19. Yes, I know its old. LOL

I have removed the save entry many times and tried so many different ways and it fails immediately. As soon as I use putty 0.81 or any other SSH client, it works fine.

 

[bennor]

in I am running v384.19. Yes, I know its old. LOL

If the router is internet facing you really, really, should consider updating the RT-AC68U router to 386.14_2 (17-Nov-2024) due to all the security vulnerabilities that have been patched in the firmware since 14-Aug-2020.
https://www.asuswrt-merlin.net/download

 

[djtech2k]

My Asus is sitting behind my ISP modem/router so I am running in double-NAT. That's how its always been.

I have not intentionally let it get old but I do not touch it on a constant basis and when the update path is to reset to bare metal, I hate taking the time to do the whole process. I have done it several times over the years but I hate having to re-apply all of my settings/customizations/configs by hand. If I could simply click update or restore everything from a backup file then that would make it more plausible but I have always been told that won't work.

So I admit it is my own fault but I just don't like to do that whole thing over and over again.

I am going to try something different mainly because this hw is so old and I worry about it keeping up, but also to have something with more ability to update-in-place and an easy backup/restore option. I don't even know how many years I have been using the RMerlin fw and its been very good to me so it was not an easy decision to make. I am hoping to have new hw to start loading in a couple weeks so hopefully I will have something to start using in a month or 2 at most. My Asus will be a hot backup for a while at least until I gain confidence in the new device.

 

[ColinTaylor]

I looked it up, time is only needed with SSL authentication. But not with user/password. But the thread starter needs to look at the logs in the router into why the laptop is rejected.

There's also no time component if you're using authorised keys, e.g. ssh-rsa.

 

[John Fitzgerald]

I am running v384.19.

If upgrading from 384.19 to 386.14_2 you will need a factory wipe/reset via the GUI after you flash.

If your saved settings were basic, a saved config file may work in restore but you said it was not simple so this would be a rebuild from scratch or bare metal as you put it.

 

[Digilog]

I would but I intend to replace this thing soon. It is SOOOO old. It has been great for a long time. I have fallen behind so many times and had to reflash and start over, which I hate doing, so I am trying something else soon. For right now, I need to keep this running until I get the new hardware and get it built/configured.

A firmware flash should do the trick. But personally, I don't use store bought wifi routers for anything less than an access point. I run a recycled AMD FX machine with ipfire with standard versions of services.

But you should be able to see what key the router wants to use by executing this in an SSH shell:

key exchange algorithms:

ssh -Q kex

for the supported ciphers :

ssh -Q cipher

Message Access Code Format List:

ssh -Q mac

So, with those three above queries, you should be able to set up communications in Putty. I am guessing maybe you have something toggled somewhere in the program.

 

[djtech2k]

I am in an SSH session with the Asus and those commands do not work. SSH is there but the arguments you have do not work. I am guessing its the version of ssh thats installed in the RMerlin build.

 

[Digilog]

I am in an SSH session with the Asus and those commands do not work. SSH is there but the arguments you have do not work. I am guessing its the version of ssh thats installed in the RMerlin build.

Oh well, I guess they were not helpful in making Beardrop SSH because those are the standard SSH commands on Open SSH.
Are you sure you deleted all the old PuTTy files before restoring it including /AppData/Local/PUTTY.RND in the home user folder?

But its not really the end of the world considering it works everywhere else and you should turn SSH off in the router after configuring it (even though configuring can be done in the web gui).
Other than trying to save storage space, there is no good reason why they are using beardrop. Its not as good as the normal SSH server used (Open SSH).

But regardless of a double NAT, someone can attack that router and you should update it.

 

[djtech2k]

Yeah it looks like the SSH on the router does not have the "-Q" parameter. I have been trying to scan files to see if its in a config file or something but so far no luck. Is there any other way to find the available kex?

I was not aware of the RND file so IDK if that was deleted or not. I have removed the registry key with the keys and session information.

I hear you on the firmware but like I said, I plan to replace it within weeks. I don't have any ports being forwarded in from the ISP and although its nothing special, its a second line of defense that blocks some exposure to the internet inbound. I am planning to replace this Asus with a pfsense device soon.

 

[djtech2k]

Looking around on the asus, I have found there's a ".ssh" directory that has 2 files, authorizedkeys and known_hosts. I can view the known_hosts and it has 1 line with my IP and ssh key. The authorizedkeys appears empty or I just can't open it because when I run "cat" on it, it shows nothing. I thought I might be able to see the available kex in there but I can't. When I try to use something like winscp to browse it, the ".ssh" directory is not there at all.

 

[visortgw]

Looking around on the asus, I have found there's a ".ssh" directory that has 2 files, authorizedkeys and known_hosts. I can view the known_hosts and it has 1 line with my IP and ssh key. The authorizedkeys appears empty or I just can't open it because when I run "cat" on it, it shows nothing. I thought I might be able to see the available kex in there but I can't. When I try to use something like winscp to browse it, the ".ssh" directory is not there at all.

Try removing the entry (i.e., entire line) in the known_hosts file using your editor of choice (nano is mine).

 

[Martinski]

OK I looked in the syslog.log file right after I tried to connect. Here is what I found:

Dec 4 13:48:06 dropbear[14732]: Child connection from 192.168.x.x:53823
Dec 4 13:48:06 dropbear[14732]: Exit before auth from <192.168.x.x:53823>: No matching algo kex

Since the reported issue appears to be between your laptop running PuTTY v0.82 and your router’s Dropbear SSH server, and the system log on the server side indicates there's an error during the key exchange when trying to connect, I recommend running the PuTTY CLI executable in verbose mode to see what errors are being generated on the client side.

Use the following command on a Windows Command Prompt terminal:

plink -v -P "PortNumber" "IPaddress" -i "C:/PATH/TO/PRIVATE/KEY/FILE/puttyPrivateKey.ppk"

"PortNumber" is the port number assigned to the Dropbear SSH Server.
"IPaddress" is the LAN IP address assigned to the router.
And, of course, provide the full path to your own private key used by PuTTY (using forward slashes).

EXAMPLE:

plink -v -P 22 192.168.50.1 -i "C:/PATH/TO/PRIVATE/KEY/FILE/puttyPrivateKey.ppk"

Post a clear & readable screenshot showing the full output from the command after redacting any sensitive information (e.g. public WAN IP address, username, password).

In addition, I suggest posting another screenshot showing the full output of the following command (from a Windows Command Prompt):

ssh -vvv -p "PortNumber" "IPaddress" 2>&1 | findstr /n /c:"Remote protocol" /c:"KEXINIT proposal" /c:"algorithms:" /c:"kex:"

(same parameters as explained above)

EXAMPLE:

ssh -vvv -p 22 192.168.50.1 2>&1 | findstr /n /c:"Remote protocol" /c:"KEXINIT proposal" /c:"algorithms:" /c:"kex:"

BTW, do not just post a couple of lines of output. Show as much data as possible and allow other people with more networking experience take a look at all the data to help you diagnose the problem.

Just my 2 cents.

 

[djtech2k]

Since the reported issue appears to be between your laptop running PuTTY v0.82 and your router’s Dropbear SSH server, and the system log on the server side indicates there's an error during the key exchange when trying to connect, I recommend running the PuTTY CLI executable in verbose mode to see what errors are being generated on the client side.

Use the following command on a Windows Command Prompt terminal:

plink -v -P "PortNumber" "IPaddress" -i "C:/PATH/TO/PRIVATE/KEY/FILE/puttyPrivateKey.ppk"

"PortNumber" is the port number assigned to the Dropbear SSH Server.
"IPaddress" is the LAN IP address assigned to the router.
And, of course, provide the full path to your own private key used by PuTTY (using forward slashes).

EXAMPLE:

plink -v -P 22 192.168.50.1 -i "C:/PATH/TO/PRIVATE/KEY/FILE/puttyPrivateKey.ppk"

Post a clear & readable screenshot showing the full output from the command after redacting any sensitive information (e.g. public WAN IP address, username, password).

In addition, I suggest posting another screenshot showing the full output of the following command (from a Windows Command Prompt):

ssh -vvv -p "PortNumber" "IPaddress" 2>&1 | findstr /n /c:"Remote protocol" /c:"KEXINIT proposal" /c:"algorithms:" /c:"kex:"

(same parameters as explained above)

EXAMPLE:

ssh -vvv -p 22 192.168.50.1 2>&1 | findstr /n /c:"Remote protocol" /c:"KEXINIT proposal" /c:"algorithms:" /c:"kex:"

BTW, do not just post a couple of lines of output. Show as much data as possible and allow other people with more networking experience take a look at all the data to help you diagnose the problem.

Just my 2 cents.

Thanks.

I am using name/password with SSH to connect to my AC68U so if I am readin it correctly, using the plink command you mentioned won't work because I am not using a key file to authenticate. So I used the "-l" option to specify password instead. When us9ng the v0.82 version of plink, I got the same error as putty so I grabbed v0.81 of plink and here is the output:

Looking up host "192.168.x.x" for SSH connection
Connecting to 192.168.x.x port 22
We claim version: SSH-2.0-PuTTY_Release_0.81
Connected to 192.168.x.x
Remote version: SSH-2.0-dropbear
Using SSH protocol version 2
No GSSAPI security context available
Doing ECDH key exchange with curve Curve25519, using hash SHA-256 (SHA-NI accelerated)
Server also has ecdsa-sha2-nistp256/ssh-dss/rsa-sha2-256/ssh-rsa host keys, but we don't know any of them
Host key fingerprint is:
ssh-ed25519 255 SHA256:aBCVv5oyV9Pbb4Mf5abc123hj043r/R000WmTO4qF7w
Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Initialised HMAC-SHA-256 (SHA-NI accelerated) outbound MAC algorithm
Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Initialised HMAC-SHA-256 (SHA-NI accelerated) inbound MAC algorithm
Pageant is running. Requesting keys.
Pageant has 1 SSH-2 keys
Using username "xxx".
Trying Pageant key #0
Server refused our key

Here is the output from the ssh command you mentioned:

67:debug1: Remote protocol version 2.0, remote software version dropbear
84:debug2: local client KEXINIT proposal
85:debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
86:debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
97:debug2: peer server KEXINIT proposal
98:debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,kexguess2@matt.ucc.asn.au
99:debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-256,ssh-rsa,ssh-dss
110:debug1: kex: algorithm: curve25519-sha256
111:debug1: kex: host key algorithm: ssh-ed25519
112:debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
113:debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none