Skip to content

SSH connection compatibility issues with servers accessible via OpenSSH and improved debug information #79

New issue
New issue
Closed
#80
Closed
SSH connection compatibility issues with servers accessible via OpenSSH and improved debug information#79
#80
Assignees
inureyes
Labels
priority:highHigh priority issuestatus:readyReady to be worked ontype:enhancementNew feature or request
@inureyes

Description

@inureyes
inureyes
opened on Dec 15, 2025

Problem / Background

Some SSH servers that work perfectly with OpenSSH client fail to connect when using bssh.

Symptoms:

  • OpenSSH client (ssh command) connects successfully
  • bssh fails to connect to the same server
  • Error message: SSH connection failed to <IP>:<PORT> (e.g., SSH connection failed to 10.100.1.1:22)
  • Lack of detailed error information makes it difficult to identify the root cause

Analyzed Causes

1. Algorithm Negotiation Failure

Mismatch between russh library's supported algorithms and the target SSH server's algorithms is suspected as the primary cause:

Algorithm Type russh Support Examples
KEX curve25519-sha256, diffie-hellman-group*, etc.
Cipher chacha20-poly1305, aes256-gcm, aes*-ctr
MAC hmac-sha2-256, hmac-sha2-512, etc.

Connection fails when older SSH servers only support algorithms not available in russh.

2. Insufficient Error Detail

Currently at src/commands/interactive/connection.rs:67, errors are wrapped with .with_context(|| format!("SSH connection failed to {host}:{port}")), which hides specific russh errors (algorithm mismatch, negotiation failure, etc.) from users.

3. Host Key Type Compatibility

Connection may fail if the server's host key type is not supported by russh.

4. Limited OpenSSH Config Support

Server-specific settings in ~/.ssh/config (e.g., KexAlgorithms, Ciphers, MACs, etc.) are not fully supported.

Proposed Solutions

Phase 1: Improved Error Logging (Priority: High)

  • Display original russh error messages to users on connection failure
  • Add -v or --verbose flag for detailed negotiation process logs
  • Show server/client supported algorithm lists when negotiation fails
  • Add user-friendly guidance messages per error type

Phase 2: Algorithm Configuration Options (Priority: Medium)

  • Add CLI options for algorithm specification
    • --kex-algorithms: Key exchange algorithms
    • --ciphers: Encryption algorithms
    • --macs: MAC algorithms
  • Support algorithm configuration in config.yaml
  • OpenSSH-compatible algorithm preference settings

Phase 3: Legacy Algorithm Support Mode (Priority: Medium)

  • --legacy flag to enable older algorithms (with security warning)
  • Save legacy settings for specific servers in config.yaml

Phase 4: Connection Diagnostics Command (Priority: Low)

  • bssh diagnose <host> command for troubleshooting
    • Check server-supported algorithms
    • Test compatibility with bssh-supported algorithms
    • Suggest recommended settings

Technical Considerations

russh Library Constraints

The list of algorithms supported by russh varies by library version, and some legacy algorithms (e.g., diffie-hellman-group1-sha1, ssh-dss) may not be supported for security reasons. Clear user guidance is needed in such cases.

Related Code Locations

  • src/commands/interactive/connection.rs: SSH connection handling
  • src/ssh/client.rs: SSH client wrapper
  • src/ssh/tokio_client/: russh wrapper module

Additional Context

Just as OpenSSH allows detailed log inspection with ssh -vvv option for debugging algorithm negotiation issues, providing a similar level of debug information in bssh would greatly help in troubleshooting.

Metadata

Metadata

Assignees

Labels

priority:highHigh priority issuestatus:readyReady to be worked ontype:enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions