K4 USBNet - No Matching Key Exchange. Their offer: diffie-hellman-group1-sha1

lianove3 · 05-20-2024, 09:21 PM

Hello!

I'm having trouble getting USBNet to work on my K4NT. Mine is one of the weird cases described here where the built in USBNet still works.

I have:

1. Successfully completed the Jailbreak

2. Booted to the diagnostics and navigated to the Enable USBnet page

3. Configured the network interface for IP 192.168.15.201 & subnet 255.255.255.0

When I try to `ssh root@192.168.15.244`, I am met with the following error:

`Unable to negotiate with 192.168.15.244 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1`

I have tried the solutions detailed in this stackexchange but to no avail. Attempting `ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.15.244` results in:

`Unable to negotiate with 192.168.15.244 port 22: no matching host key type found. Their offer: ssh-rsa`

I'd much appreciate any insight into this

If I cannot get the built in USBNet working, would I be able to go the route of installing USBNet manually? TIA

dont_panic · 05-24-2024, 09:17 AM

The reason for this is quite simple imo: The kindle uses 14-year-old crypto routines (rsa), which are not accepted by any modern ssh implementation.
The reason for this is the 'downgrading attack': The attacker just politely asks the victim 'why can't whe use the old unsafe standard like we always did'. That's why your ssh just says 'nope wont do'.
On my win machine I use kitty (a putty fork) as ssh client, and there is a settings page that lets you enable unsafe stuff. I don't know how to do it on linux, and it should depend on your distro. Also, don't do this when your device is connected to the interwebz

My guess would be to just 'give them what they want' and match their offer:

`ssh -oKexAlgorithms=+ssh-rsa root@192.168.15.244`

This is my first post here, so please be patient with a poor noob...

ratinox · 05-24-2024, 09:38 AM

TL;DR: use RSA if you need portable keys, ED25519 otherwise.

Nit-pick, but the problem isn't RSA which is still secure for larger keys (2048 bit and 4096 bit). Anything smaller than 2048 bit is generally discouraged. ED25519 is preferred when available. At this time, ED25519 appears to be more secure and faster than RSA, though RSA is technically stronger given the larger key sizes.

The real problem here is DSA which has been deprecated and disabled by OpenSSH for almost a decade now due to its general weakness, and will be entirely removed from OpenSSH source code next year. You can read more here:
https://www.openssh.com/legacy.html

Note: your distribution maintainers may have taken steps to remove DSA in advance of the formal removal.

j.p.s · 05-24-2024, 02:16 PM

Installing the USBNetwork hack that targets the K4 should work.

05-20-2024, 09:21 PM	#1
lianove3 Junior Member Posts: 1 Karma: 10 Join Date: May 2024 Device: Kindle 4 (Silver)	USBNet - No Matching Key Exchange. Their offer: diffie-hellman-group1-sha1 Hello! I'm having trouble getting USBNet to work on my K4NT. Mine is one of the weird cases described here where the built in USBNet still works. I have: 1. Successfully completed the Jailbreak 2. Booted to the diagnostics and navigated to the Enable USBnet page 3. Configured the network interface for IP 192.168.15.201 & subnet 255.255.255.0 When I try to `ssh root@192.168.15.244`, I am met with the following error: `Unable to negotiate with 192.168.15.244 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1` I have tried the solutions detailed in this stackexchange but to no avail. Attempting `ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.15.244` results in: `Unable to negotiate with 192.168.15.244 port 22: no matching host key type found. Their offer: ssh-rsa` I'd much appreciate any insight into this If I cannot get the built in USBNet working, would I be able to go the route of installing USBNet manually? TIA

05-24-2024, 09:17 AM	#2
dont_panic Junior Member Posts: 2 Karma: 10 Join Date: May 2024 Location: Berlin/.de Device: K4NT	The reason for this is quite simple imo: The kindle uses 14-year-old crypto routines (rsa), which are not accepted by any modern ssh implementation. The reason for this is the 'downgrading attack': The attacker just politely asks the victim 'why can't whe use the old unsafe standard like we always did'. That's why your ssh just says 'nope wont do'. On my win machine I use kitty (a putty fork) as ssh client, and there is a settings page that lets you enable unsafe stuff. I don't know how to do it on linux, and it should depend on your distro. Also, don't do this when your device is connected to the interwebz My guess would be to just 'give them what they want' and match their offer: `ssh -oKexAlgorithms=+ssh-rsa root@192.168.15.244` This is my first post here, so please be patient with a poor noob... Last edited by dont_panic; 05-24-2024 at 09:21 AM. Reason: addition

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Icon rule for matching or non-matching columns	Rellwood	Library Management	1	11-29-2023 06:37 AM
Trying to pair filename and sha1 hash in collections.json	Adam23	Kindle Developer's Corner	3	02-11-2014 02:31 PM
Troubleshooting Enter key broken - possible to "replace" functionality using other key	Hanthehun	Amazon Kindle	11	03-27-2012 01:56 PM
sha1 on kindle?	dubaaron	Kindle Developer's Corner	2	02-17-2011 12:50 PM
Four Libby Fischer Hellman Suspense $2.39 to $3.19 each (US)	NightBird	Deals and Resources (No Self-Promotion or Affiliate Links)	0	11-04-2010 06:40 PM

05-24-2024, 09:38 AM	#3
ratinox Fanatic Posts: 532 Karma: 5060708 Join Date: Oct 2016 Device: Forma, iPad Air 4	TL;DR: use RSA if you need portable keys, ED25519 otherwise. Nit-pick, but the problem isn't RSA which is still secure for larger keys (2048 bit and 4096 bit). Anything smaller than 2048 bit is generally discouraged. ED25519 is preferred when available. At this time, ED25519 appears to be more secure and faster than RSA, though RSA is technically stronger given the larger key sizes. The real problem here is DSA which has been deprecated and disabled by OpenSSH for almost a decade now due to its general weakness, and will be entirely removed from OpenSSH source code next year. You can read more here: https://www.openssh.com/legacy.html Note: your distribution maintainers may have taken steps to remove DSA in advance of the formal removal.

05-24-2024, 02:16 PM	#4
j.p.s Grand Sorcerer Posts: 5,299 Karma: 98809518 Join Date: Apr 2011 Device: pb360	Installing the USBNetwork hack that targets the K4 should work.

Advert