Bootstrap FreeKB - PHP - Resolve "ssh2_connect unable to exchange encryption keys"
PHP - Resolve "ssh2_connect unable to exchange encryption keys"
Updated:   |  PHP articles

Let's say you are attempting to make an SSH connection to an SSH server using the ssh2_connect function in PHP. In this example, there is an attempt to make an SSH connection from the PHP system to the SSH server at server1.example.com.

<?php
  $connection = ssh2_connect('server1.example.com', 22);
?>

 

And the following is being returned in the PHP log.

NOTICE: PHP message: PHP Warning:  ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys

 

This error means that the PHP system was able to "make it" to the SSH server. If the SSH server is a Linux system, the /var/log/secure log on the Linux system should contain events for the SSH connection.

Jan 29 07:02:46 docker1 sshd[3245780]: Connection from 192.168.0.15 port 55736 on 192.168.0.16 port 22 rdomain ""

Jan 29 07:02:46 docker1 sshd[3245780]: Unable to negotiate with 192.168.0.15 port 55736: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

 

Notice in this example that the ssh2_connect function offers the following host key types:

  • ssh-rsa
  • ssh-dss

 

If you have access to the SSH system, you will want to see if the SSH server is configured to allow connections with ssh-rsa or ssh-dss. For example, if the SSH server is OpenSSH on Linux, here is an example of how to list the host key types that can be used.

~]# cat /etc/crypto-policies/back-ends/opensshserver.config
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com

 

In this example, the OpenSSH server is NOT configured to use the ssh-rsa and ssh-dss host key types, which is ultimately what is causing the error to be returned when attempting the connection using the PHP ssh2_connection function. One solution here, if possible, is to update the OpenSSH server to allow connection with ssh-rsa or ssh-dss.

After this is done, the connection should be successful, and the /var/log/secure file on the OpenSSH system should have something like this.

Jan 29 07:20:16 docker1 sshd[3246421]: Received signal 15; terminating.
Jan 29 07:20:16 docker1 sshd[3246515]: Server listening on 0.0.0.0 port 22.
Jan 29 07:20:16 docker1 sshd[3246515]: Server listening on :: port 22.
Jan 29 07:20:28 docker1 sshd[3246520]: Connection from 192.168.0.15 port 55748 on 192.168.0.16 port 22 rdomain ""
Jan 29 07:20:28 docker1 sshd[3246520]: Received disconnect from 192.168.0.15 port 55748:11: PECL/ssh2 (http://pecl.php.net/packages/ssh2) [preauth]
Jan 29 07:20:28 docker1 sshd[3246520]: Disconnected from 192.168.0.15 port 55748 [preauth]

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter ea3828 in the box below so that we can be sure you are a human.