From 71010333cd16ee6aab2fea4776c4cbf3ee8f557f Mon Sep 17 00:00:00 2001
From: ZacharyZcR <zacharyzcr1984@gmail.com>
Date: Thu, 25 Sep 2025 10:11:49 +0800
Subject: [PATCH] FIX: Resolve SSH algorithm compatibility issues by removing
 unsupported umac-128-etm@openssh.com
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove umac-128-etm@openssh.com from SSH HMAC algorithm lists across all modules
- Fix SSH2 library compatibility issue causing "Unsupported algorithm" errors
- Update algorithm configurations in file-manager.ts, terminal.ts, tunnel.ts, and server-stats.ts
- Maintain full compatibility with NixOS and other SSH servers through algorithm negotiation
- Preserve secure ETM algorithms: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com
- Ensure robust fallback with standard HMAC algorithms for maximum server compatibility
- Add complete algorithm specification to server-stats.ts for consistent behavior
- Improve SSH connection reliability across file management, terminal, and tunnel operations

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/backend/ssh/file-manager.ts |  2 +-
 src/backend/ssh/server-stats.ts | 26 +++++++++++++++++++++++++-
 src/backend/ssh/terminal.ts     |  2 +-
 src/backend/ssh/tunnel.ts       |  4 ++--
 4 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/src/backend/ssh/file-manager.ts b/src/backend/ssh/file-manager.ts
index b16dc2b3..7a3fb816 100644
--- a/src/backend/ssh/file-manager.ts
+++ b/src/backend/ssh/file-manager.ts
@@ -224,7 +224,7 @@ app.post("/ssh/file_manager/ssh/connect", async (req, res) => {
         "aes256-cbc",
         "3des-cbc",
       ],
-      hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
+      hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
       compress: ["none", "zlib@openssh.com", "zlib"],
     },
   };
diff --git a/src/backend/ssh/server-stats.ts b/src/backend/ssh/server-stats.ts
index 971ead78..4c7141b9 100644
--- a/src/backend/ssh/server-stats.ts
+++ b/src/backend/ssh/server-stats.ts
@@ -490,7 +490,31 @@ function buildSshConfig(host: SSHHostWithCredentials): ConnectConfig {
     port: host.port || 22,
     username: host.username || "root",
     readyTimeout: 10_000,
-    algorithms: {},
+    algorithms: {
+      kex: [
+        "diffie-hellman-group14-sha256",
+        "diffie-hellman-group14-sha1",
+        "diffie-hellman-group1-sha1",
+        "diffie-hellman-group-exchange-sha256",
+        "diffie-hellman-group-exchange-sha1",
+        "ecdh-sha2-nistp256",
+        "ecdh-sha2-nistp384",
+        "ecdh-sha2-nistp521",
+      ],
+      cipher: [
+        "aes128-ctr",
+        "aes192-ctr",
+        "aes256-ctr",
+        "aes128-gcm@openssh.com",
+        "aes256-gcm@openssh.com",
+        "aes128-cbc",
+        "aes192-cbc",
+        "aes256-cbc",
+        "3des-cbc",
+      ],
+      hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
+      compress: ["none", "zlib@openssh.com", "zlib"],
+    },
   } as ConnectConfig;
 
   if (host.authType === "password") {
diff --git a/src/backend/ssh/terminal.ts b/src/backend/ssh/terminal.ts
index 7917dc7a..b341ebc9 100644
--- a/src/backend/ssh/terminal.ts
+++ b/src/backend/ssh/terminal.ts
@@ -636,7 +636,7 @@ wss.on("connection", async (ws: WebSocket, req) => {
           "aes256-cbc",
           "3des-cbc",
         ],
-        hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
+        hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
         compress: ["none", "zlib@openssh.com", "zlib"],
       },
     };
diff --git a/src/backend/ssh/tunnel.ts b/src/backend/ssh/tunnel.ts
index 24481695..6c79b86b 100644
--- a/src/backend/ssh/tunnel.ts
+++ b/src/backend/ssh/tunnel.ts
@@ -873,7 +873,7 @@ async function connectSSHTunnel(
         "aes256-cbc",
         "3des-cbc",
       ],
-      hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
+      hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
       compress: ["none", "zlib@openssh.com", "zlib"],
     },
   };
@@ -1017,7 +1017,7 @@ async function killRemoteTunnelByMarker(
         "aes256-cbc",
         "3des-cbc",
       ],
-      hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
+      hmac: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-md5"],
       compress: ["none", "zlib@openssh.com", "zlib"],
     },
   };