Option 1: Update libssh2 -> libssh2 1.7 and up supports DH SHA256 and ECDH key exchange. These will work with the latest OpenSSH. 1.x releases require PHP 7.
it is related to the modifications done after vulnerabilities scans on our VM :
cf \tls-gps-dfs.inra.local\home\plage\transfert\Info-Bioinfo\4-Info\SSI\scanner_vulnerabilites_INRAE_suivi_action.xlsm > Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)
not finalized due to problems induced by java update
[root@ng6-slurm ~]# vi /etc/ssh/sshd_configKexAlgorithms was set to curve25519-sha256@libssh.org I added old weak algorithms KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1[root@ng6-slurm ~]# systemctl restart sshd[root@ng6-slurm ~]# php /work/ng6/jflow/tmp/ng6_ssh_test.phpconnection= Resource id #4
now OK for ng6-slurm
Try to reproduce the problem on ng6-test
if same problem occurs, try to solve the problem so that we can deactivate again weak algorithm
Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys in /work/ng6-test/jflow_rtherville/ng6_ssh_test.php on line 3Warning: ssh2_connect(): Unable to connect to ng6-test.toulouse.inra.fr in /work/ng6-test/jflow_rtherville/ng6_ssh_test.php on line 3connection=connection===FALSE
I tested "diffie-hellman-group1-sha1", it works but it's not recommanded.
I also tested "diffie-hellman-group14-sha1", it works AND it is recommanded as a replacement to every other sha1 KEX.
Quotation here : "It is reasonable to retain the diffie-hellman-group14-sha1 exchange for interoperability with legacy implementations. Therefore, diffie-hellman-group14-sha1 SHOULD be implemented and all other *-sha1 key exchanges SHOULD NOT be implemented. "