SSH connection compatibility issues with servers accessible via OpenSSH and improved debug information

[inureyes]

Problem / Background

Some SSH servers that work perfectly with OpenSSH client fail to connect when using bssh.

Symptoms:

• OpenSSH client (ssh command) connects successfully
• bssh fails to connect to the same server
• Error message: SSH connection failed to <IP>:<PORT> (e.g., SSH connection failed to 10.100.1.1:22)
• Lack of detailed error information makes it difficult to identify the root cause

Analyzed Causes

1. Algorithm Negotiation Failure

Mismatch between russh library's supported algorithms and the target SSH server's algorithms is suspected as the primary cause:

Algorithm Type	russh Support Examples
KEX	curve25519-sha256, diffie-hellman-group*, etc.
Cipher	chacha20-poly1305, aes256-gcm, aes*-ctr
MAC	hmac-sha2-256, hmac-sha2-512, etc.

Connection fails when older SSH servers only support algorithms not available in russh.

2. Insufficient Error Detail

Currently at src/commands/interactive/connection.rs:67, errors are wrapped with .with_context(|| format!("SSH connection failed to {host}:{port}")), which hides specific russh errors (algorithm mismatch, negotiation failure, etc.) from users.

3. Host Key Type Compatibility

Connection may fail if the server's host key type is not supported by russh.

4. Limited OpenSSH Config Support

Server-specific settings in ~/.ssh/config (e.g., KexAlgorithms, Ciphers, MACs, etc.) are not fully supported.

Proposed Solutions

Phase 1: Improved Error Logging (Priority: High)

• Display original russh error messages to users on connection failure
• Add -v or --verbose flag for detailed negotiation process logs
• Show server/client supported algorithm lists when negotiation fails
• Add user-friendly guidance messages per error type

Phase 2: Algorithm Configuration Options (Priority: Medium)

• Add CLI options for algorithm specification
  • --kex-algorithms: Key exchange algorithms
  • --ciphers: Encryption algorithms
  • --macs: MAC algorithms
• Support algorithm configuration in config.yaml
• OpenSSH-compatible algorithm preference settings

Phase 3: Legacy Algorithm Support Mode (Priority: Medium)

• --legacy flag to enable older algorithms (with security warning)
• Save legacy settings for specific servers in config.yaml

Phase 4: Connection Diagnostics Command (Priority: Low)

• bssh diagnose <host> command for troubleshooting
  • Check server-supported algorithms
  • Test compatibility with bssh-supported algorithms
  • Suggest recommended settings

Technical Considerations

russh Library Constraints

The list of algorithms supported by russh varies by library version, and some legacy algorithms (e.g., diffie-hellman-group1-sha1, ssh-dss) may not be supported for security reasons. Clear user guidance is needed in such cases.

Related Code Locations

• src/commands/interactive/connection.rs: SSH connection handling
• src/ssh/client.rs: SSH client wrapper
• src/ssh/tokio_client/: russh wrapper module

Additional Context

Just as OpenSSH allows detailed log inspection with ssh -vvv option for debugging algorithm negotiation issues, providing a similar level of debug information in bssh would greatly help in troubleshooting.