Problems implementing with DFM Connection Agent

[thorna]

Hi there,
I am using latest DynFi Manager On-premise
and OPNSense Firewalls in Version OPNsense 24.10.1-amd64 FreeBSD 14.1-RELEASE-p6 OpenSSL 3.0.15

I successfully connected 2 firewalls with classic method.

I wanted to use Connection agent on 3rd Firewall, and i cannot create connection.
I have installed Connection Agent on 3rd OPNSense Firewall with help of latest Documentation.
Everything seems to be ok.
When connecting, i see following errors in dynfi manager logs:

Code: Select all

2024-12-03 10:37:49.144 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-2] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:62955])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: sk-ssh-ed25519@openssh.com / server: ssh-ed25519)
2024-12-03 10:43:09.680 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-2] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:61449])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 / server: ssh-ed25519)
2024-12-03 10:43:09.684 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-3] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:61382])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: rsa-sha2-512,rsa-sha2-256,ssh-rsa / server: ssh-ed25519)
2024-12-03 10:43:09.726 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-4] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:62180])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: rsa-sha2-512,rsa-sha2-256,ssh-rsa / server: ssh-ed25519)
2024-12-03 10:43:09.726 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-5] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:64190])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 / server: ssh-ed25519)
2024-12-03 10:43:09.931 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-1] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:63770])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: sk-ecdsa-sha2-nistp256@openssh.com / server: ssh-ed25519)
2024-12-03 10:43:09.931 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-4] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:60973])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: sk-ecdsa-sha2-nistp256@openssh.com / server: ssh-ed25519)
2024-12-03 10:43:09.975 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-2] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:60780])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: sk-ssh-ed25519@openssh.com / server: ssh-ed25519)
2024-12-03 10:43:09.975 CET [sshd-SshServer[3c8e44cc](port=2222)-nio2-thread-5] WARN  o.a.s.s.session.ServerSessionImpl [LoggingUtils.java:618] - exceptionCaught(ServerSessionImpl[null@/anonymizedip:59805])[state=Opened] SshException: Unable to negotiate key exchange for server host key algorithms (client: sk-ssh-ed25519@openssh.com / server: ssh-ed25519)

I would be very happy if someone can help me, Thanks!

[gregober]

Can you please send a description of the options you have enabled in the >> System >> Settings >> Administration
In section "Secure Shell" can you list the options enabled and the "cryptographic override" eventually.

Thanks.

[thorna]

Thanks for fast reply!

So these are settings:

Code: Select all

Secure Shell	
 Secure Shell Server	 Enable Secure Shell active
 Login Group	
wheel, admins
Select the allowed groups for remote login. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will. Do not yield remote access to non-administrators as every user can access system files using SSH or SFTP.
 Root Login	 Permit root user login active
Root login is generally discouraged. It is advised to log in via another user and switch to root afterwards.
 Authentication Method	 Permit password login  active
When disabled, authorized keys need to be configured for each User that has been granted secure shell access.
 SSH port	22 active
Leave this blank for the default of 22.
 Listen Interfaces	all interfaces active

Advanced Settings cryptographic override are
never touched, so i am not sure what to show.

reporter in firmware settings shows:

Code: Select all

[03-Dec-2024 10:27:29 Europe/Berlin] TypeError: in_array(): Argument #2 ($haystack) must be of type array, string given in /usr/local/etc/inc/auth.inc:495
Stack trace:
#0 /usr/local/etc/inc/auth.inc(495): in_array('0', '')
#1 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(364): local_user_get_groups(Array)
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(300): OPNsense\DFConAg\Api\ServiceController->__getAddOptions('#token#', 'eyJhbGciOiJub25...')
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(165): OPNsense\DFConAg\Api\ServiceController->acceptKeyAction()
#4 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#6 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/dfconag/se...', Array)
#7 {main}
[03-Dec-2024 10:37:20 Europe/Berlin] TypeError: in_array(): Argument #2 ($haystack) must be of type array, string given in /usr/local/etc/inc/auth.inc:495
Stack trace:
#0 /usr/local/etc/inc/auth.inc(495): in_array('0', '')
#1 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(364): local_user_get_groups(Array)
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(319): OPNsense\DFConAg\Api\ServiceController->__getAddOptions('root', '**')
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(165): OPNsense\DFConAg\Api\ServiceController->getAddOptionsAction()
#4 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#6 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/dfconag/se...', Array)
#7 {main}
[03-Dec-2024 10:43:26 Europe/Berlin] TypeError: in_array(): Argument #2 ($haystack) must be of type array, string given in /usr/local/etc/inc/auth.inc:495
Stack trace:
#0 /usr/local/etc/inc/auth.inc(495): in_array('0', '')
#1 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(364): local_user_get_groups(Array)
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(319): OPNsense\DFConAg\Api\ServiceController->__getAddOptions('t.adm.horna', '***)
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(165): OPNsense\DFConAg\Api\ServiceController->getAddOptionsAction()
#4 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#6 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/dfconag/se...', Array)
#7 {main}
[03-Dec-2024 11:13:43 Europe/Berlin] TypeError: in_array(): Argument #2 ($haystack) must be of type array, string given in /usr/local/etc/inc/auth.inc:495
Stack trace:
#0 /usr/local/etc/inc/auth.inc(495): in_array('0', '')
#1 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(364): local_user_get_groups(Array)
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(319): OPNsense\DFConAg\Api\ServiceController->__getAddOptions('root', '****')
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(165): OPNsense\DFConAg\Api\ServiceController->getAddOptionsAction()
#4 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#6 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/dfconag/se...', Array)
#7 {main}
[03-Dec-2024 12:50:54 Europe/Berlin] TypeError: in_array(): Argument #2 ($haystack) must be of type array, string given in /usr/local/etc/inc/auth.inc:495
Stack trace:
#0 /usr/local/etc/inc/auth.inc(495): in_array('0', '')
#1 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(364): local_user_get_groups(Array)
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(300): OPNsense\DFConAg\Api\ServiceController->__getAddOptions('#token#', 'eyJhbGciOiJub25...')
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(165): OPNsense\DFConAg\Api\ServiceController->acceptKeyAction()
#4 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#6 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/dfconag/se...', Array)
#7 {main}
[03-Dec-2024 12:52:51 Europe/Berlin] TypeError: in_array(): Argument #2 ($haystack) must be of type array, string given in /usr/local/etc/inc/auth.inc:495
Stack trace:
#0 /usr/local/etc/inc/auth.inc(495): in_array('0', '')
#1 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(364): local_user_get_groups(Array)
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/DFConAg/Api/ServiceController.php(319): OPNsense\DFConAg\Api\ServiceController->__getAddOptions('root', '***')
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(165): OPNsense\DFConAg\Api\ServiceController->getAddOptionsAction()
#4 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#5 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#6 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/dfconag/se...', Array)

[gregober]

Sounds like a bug, we will have a look at that rapidly.

[thorna]

Thanks a lot!