Key exchange error with connect.vi in VIPM version 1.2.4.32 with NI RT Linux 2024

[temin4u]

Error -8111 occurred at Field_RnD_Services_LIBSSH2_Toolkit.lvlib:Session.lvclass:Connect.vi

Possible reason(s):

[Key Exchange Failure Error]

If the client is executed from windows target there is no issues. Only from RT Linux target the error occurs.

[Ashwin-Saravanan-lennox]

new IPK file with lv2024Q1.zip
I had tried with new IPK binaries still this issue exists

[temin4u]

Please find below the debug log in which SSH Client(Linux native) from the PXI running latest RT Linux image with openssh v ersion 8.9 is able to communicate with our device of interest running openssh version 8.2, does the libssh2 lib have any dependency with the native openssh for accessing KEX algorithms?

I tried changing the /etc/ssh/ssh_config to use a different protocol suite, but still our libssh2lv lib is throwing key exchange error with the connect API even after installing the latest SO built by my colleague in the above post, I'm assuming that libssh2 does not have any dependency with native linux openssh 8.9, can you share your inputs on the same please.

admin@ATE-RES-005:~# ssh [email protected] -v
OpenSSH_8.9p1, OpenSSL 3.0.12 24 Oct 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 10.1.165.22 [10.1.165.22] port 22.
debug1: Connection established.
debug1: identity file /home/admin/.ssh/identity type -1
debug1: identity file /home/admin/.ssh/identity-cert type -1
debug1: identity file /home/admin/.ssh/id_rsa type -1
debug1: identity file /home/admin/.ssh/id_rsa-cert type -1
debug1: identity file /home/admin/.ssh/id_dsa type -1
debug1: identity file /home/admin/.ssh/id_dsa-cert type -1
debug1: identity file /home/admin/.ssh/id_ecdsa type -1
debug1: identity file /home/admin/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/admin/.ssh/id_ed25519 type -1
debug1: identity file /home/admin/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2
debug1: compat_banner: match: OpenSSH_8.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.1.165.22:22 as 'root'
debug1: load_hostkeys: fopen /home/admin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:NcovJB+q25Ij1ywxjRZzaAv3fe05Cvl9IT6EzwHBMJA
debug1: load_hostkeys: fopen /home/admin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.1.165.22' is known and matches the ED25519 host key.
debug1: Found key in /home/admin/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/admin/.ssh/identity
debug1: Will attempt key: /home/admin/.ssh/id_rsa
debug1: Will attempt key: /home/admin/.ssh/id_dsa
debug1: Will attempt key: /home/admin/.ssh/id_ecdsa
debug1: Will attempt key: /home/admin/.ssh/id_ed25519
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512, ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/admin/.ssh/identity
debug1: Trying private key: /home/admin/.ssh/id_rsa
debug1: Trying private key: /home/admin/.ssh/id_dsa
debug1: Trying private key: /home/admin/.ssh/id_ecdsa
debug1: Trying private key: /home/admin/.ssh/id_ed25519
debug1: Next authentication method: password
[email protected]'s password:
Authenticated to 10.1.165.22 ([10.1.165.22]:22) using "password".
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: exec
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: client_input_hostkeys: searching /home/admin/.ssh/known_hosts for 10.1.165.22 / (none)
debug1: client_input_hostkeys: searching /home/admin/.ssh/known_hosts2 for 10.1.165.22 / (none)
debug1: client_input_hostkeys: hostkeys file /home/admin/.ssh/known_hosts2 does not exist
debug1: X11 forwarding requested but DISPLAY not set
debug1: client_global_hostkeys_private_confirm: server used untrusted RSA signature algorithm ssh-rsa for key 0, disre garding
debug1: update_known_hosts: known hosts file /home/admin/.ssh/known_hosts2 does not exist

[volks73]

My guess is that it is different versions of OpenSSL. The libssh2lv C library that must be built and installed on the NI Linux RT target uses OpenSSL v3.0.1 and LibSSH2 v1.10.0. A newer version of OpenSSL is probably needed.

When building libssh2lv from source, the build will automatically download the OpenSSL v3.0.1 and LIBSSH2 v1.10.0 code and build these dependencies.

https://github.com/fieldrndservices/libssh2lv/blob/37e70513fa7aecf670eb15511726b10b534da1c4/CMakeLists.txt#L24

and

https://github.com/fieldrndservices/libssh2lv/blob/37e70513fa7aecf670eb15511726b10b534da1c4/CMakeLists.txt#L60

I do not have access to a LabVIEW 2023 or newer NI Linux RT machine or environment, so I have no idea the version of OpenSSL installed/shipped with newer versions of LabVIEW.

There can be incompatibilities between LIBSSH2 and OpenSSL versions, so the libssh2lv build downloads and uses its own versions that are known to work together. You can try a couple of options:

1. Disable building dependencies for libssh2lv and use the system libraries.

   mkdir build && cd build
   cmake -DBUILD_DEPS=OFF ..
   cmake --build .

   If you have built the libssh2 library from source and separately on a NI Linux RT machine. If the NI Linux RT machine has access to the Internet, then another option might be easier.

2. Bump the versions of LIBSSH2 and OpenSSL in the CMakeLists.txt file. This must be completed on a NI Linux RT machine with Internet access. The following steps assume you have logged into the NI Linux RT machine via SSH and have a terminal available.

   1. Clone the libssh2lv project:

      git clone https://github.com/fieldrndservices/libssh2lv && cd libssh2lv

   2. Create a branch.

      git checkout -b feature-bump-deps

   3. Open the CMakeLists.txt file in a text editor, like nano or vim, and modify Line 65 to be:

      GIT_TAG openssl-3.2.1

      and Line 83 to be:

      GIT_TAG libssh2-1.11.0

   4. Save changes and run build. Note, we do want to use the dependencies and defaults now.

      mkdir build && cd build
      cmake ..
      cmake --build .

For both options, you may want to build and run the tests for the libssh2lv project. This will at least ensure the libssh2lv build was successful and eliminate a build error ultimately causing the issue.

The LabVIEW toolkit needs the libssh2lv, which is dependent on libssh2, which is dependent on OpenSSL. Any key exchange and cypher-related stuff is handed off to the OpenSSL shared library down this dependency chain. If a key or algorithm is not working/supported/allowed, it is usually because the OpenSSL library does not support it.

[Ashwin-Saravanan-lennox]

I'm facing this issue
build error log.txt
Can't locate FindBin.pm in @inc (you may need to install the FindBin module) (@inc contains: /usr/lib/perl5/site_perl/5.34.1/x86_64-linux /usr/lib/perl5/site_perl/5.34.1 /usr/lib/perl5/vendor_perl/5.34.1/x86_64-linux /usr/lib/perl5/vendor_perl/5.34.1 /usr/lib/perl5/5.34.1/x86_64-linux /usr/lib/perl5/5.34.1) at /home/root/libssh2lv/.deps/openssl/src/openssl/Configure line 15.
BEGIN failed--compilation aborted at /home/root/libssh2lv/.deps/openssl/src/openssl/Configure line 15.
make[2]: *** [CMakeFiles/openssl.dir/build.make:92: ../.deps/openssl/src/openssl-stamp/openssl-configure] Error 2
make[1]: *** [CMakeFiles/Makefile2:102: CMakeFiles/openssl.dir/all] Error 2
make: *** [Makefile:91: all] Error 2

Could you please provide cmake rule to build .ipk file as well NI RT Linux

[Ashwin-Saravanan-lennox]

After installing all the Perl dependencies , facing this issue
admin@ATE-RES-005:~/libssh2lv/build# cmake --build .
[ 3%] Performing build step for 'openssl'
/usr/lib/gcc/x86_64-nilrt-linux/11.4.0/../../../../x86_64-nilrt-linux/bin/ld:providers/legacy.ld:0: syntax error in VERSION script
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile:13371: providers/legacy.so] Error 1
make[3]: *** [Makefile:2297: build_sw] Error 2
make[2]: *** [CMakeFiles/openssl.dir/build.make:86: ../.deps/openssl/src/openssl-stamp/openssl-build] Error 2
make[1]: *** [CMakeFiles/Makefile2:102: CMakeFiles/openssl.dir/all] Error 2
make: *** [Makefile:91: all] Error 2

[Ashwin-Saravanan-lennox]

is it possible to connect through a teams call, please let me know your convenient timing. @volks73

[temin4u]

openssl/openssl#11281
Does the CPUID and buildinfo file need edits to resolve this issue?

[Ashwin-Saravanan-lennox]

How to over come this issue with libcrypto.a
gcc -Iinclude -Iproviders/implementations/include -Iproviders/common/include -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -MMD -MF providers/legacy-dso-legacyprov.d.tmp -MT providers/legacy-dso-legacyprov.o -c -o providers/legacy-dso-legacyprov.o providers/legacyprov.c
/usr/bin/perl ./util/mkdef.pl --type dso --ordinals util/providers.num --name providers/legacy --OS linux > providers/legacy.ld
gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -L. -Wl,-z,defs -Wl,-znodelete -shared -Wl,-Bsymbolic
-o providers/legacy.so -Wl,--version-script=providers/legacy.ld
providers/legacy-dso-legacyprov.o
providers/liblegacy.a providers/libcommon.a -lcrypto -ldl -pthread
/usr/lib/gcc/x86_64-nilrt-linux/11.4.0/../../../../x86_64-nilrt-linux/bin/ld: ./libcrypto.a(libcommon-lib-ciphercommon_gcm.o): in function ossl_gcm_get_ctx_params': ciphercommon_gcm.c:(.text+0x151): undefined reference to ossl_param_find_pidx'
/usr/lib/gcc/x86_64-nilrt-linux/11.4.0/../../../../x86_64-nilrt-linux/bin/ld: ./libcrypto.a(libcommon-lib-ciphercommon_gcm.o): in function ossl_gcm_set_ctx_params': ciphercommon_gcm.c:(.text+0x491): undefined reference to ossl_param_find_pidx'
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile:13476: providers/legacy.so] Error 1
make[4]: Leaving directory '/home/admin/libssh2lv/.deps/openssl/src/openssl'
make[3]: *** [Makefile:2322: build_sw] Error 2
make[3]: Leaving directory '/home/admin/libssh2lv/.deps/openssl/src/openssl'
make[2]: *** [CMakeFiles/openssl.dir/build.make:86: ../.deps/openssl/src/openssl-stamp/openssl-build] Error 2
make[2]: Leaving directory '/home/admin/libssh2lv/build'
make[1]: *** [CMakeFiles/Makefile2:102: CMakeFiles/openssl.dir/all] Error 2
make[1]: Leaving directory '/home/admin/libssh2lv/build'
make: *** [Makefile:91: all] Error 2
admin@ATE-RES-001:~/libssh2lv/build#