connect_ssh2

[KenHorse]

I've been using the following script snippet to connect to a remote server in order to run lm-sensors on the remote server and it's worked fine (I've changed the IP and password for this post of course)
 

$connection = ssh2_connect('xxx.xxx.xxx.x', 22); 
ssh2_auth_password($connection, 'root', 'xxxxxx');

if($output = ssh2_exec($connection, 'sensors')) { 
  stream_set_blocking($output, true); 
  $x = stream_get_contents($output); 
}

This script runs on a Debian 10 machine and the remote server USED to also be Debian 10 but it was recently upgraded to Debian 12 (Bookworm) and now the script reports the following errors:
 

PHP Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys in /var/www/html/get_temp.php on line 3 
PHP Warning: ssh2_connect(): Unable to connect to xxx.xxx.xxx.x in /var/www/html/get_temp.php on line 3 
PHP Warning: ssh2_auth_password() expects parameter 1 to be resource, bool given in /var/www/html/get_temp.php on line 4 
PHP Warning: ssh2_exec() expects parameter 1 to be resource, bool given in /var/www/html/get_temp.php on line 6

I can connect using ssh from the command line (ssh @ xxx.xxx.xxx.x) and that works fine.

I'm not a total newbie to Linux but I'm no expert either so any help would be appreciated

Edited June 30, 2023 by KenHorse

[gw1500se]

Look for an error in the httpd logs. This error in PHP, I think, is generic.

[KenHorse]

These errors are from running the script from the command line

Edited June 30, 2023 by KenHorse

[kicken]

You probably need to update your php and/or openssl and/or libssh versions.  The error is likely because your client does not support any crypto algorithms that the server does so the encrypted channel cannot be established.

[gizmola]

It would be helpful if you provided the version of libssh on the client server running php, as well as the php version.

Likely this issue is that you have libssh2, and the message is telling you that the key exchange doesn't work. 

This is because libssh2 upon which the php routines were built, used diffie-hellman-group1-sha1, and the version of openssh no longer will accept that exchange, hence the error.  To understand why this all came about, you can read about the Logjam exploit which attacked the SHA1 key exchange, as well as recommended configuration changes to a variety of commonly used services.  While openssh was not specifically vulnerable to logjam, given its focus on openssl, there was still a concern that the key exchange had a weakness, so support for diffie-hellman-group1-sha1 was removed from openssh.  This page has more specifics.

So at this point, you should be able to remedy the problem with an upgrade of libssh2 to a more modern version (version >= 1.7) which supports newer key exchange methods. 

One alternative to the reliance on the php extension would be to modify your code to use phpseclib instead, which supports modern servers.

[KenHorse]

I found the fix

On the Debian 12 server, I added the following to /etc/ssh/sshd_config

 

HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

 

As this server is on a private LAN, security isn't an issue