use Window to access SSH server with obsolete ciphers
Recent Fedora systems' SSH client won't access CentOS 6 servers. Unable to negotiate with x.y.z.w port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss (One should not still be running CentOS 6!) All my workstations run recent Fedora systems. How could I access this server? It turns out the Windows has an SSH client these days and it isn't as picky about ciphers as Fedora. It could well be that other Linux distros support older ciphers too. This isn't generally a good thing: those ciphers were retired due to security concerns.
You can often ssh from newer systems to older systems by telling ssh that it's allowed to use older options. For example, to connect from ubuntu 22 to centos 5, my .ssh/config file has Host centos5.example.com KexAlgorithms +diffie-hellman-group1-sha1 # ubuntu 22+ needs HostkeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa and I left myself a reference to: https://www.openssh.com/legacy.html Hope someone finds that helpful - cheers John On Fri, 2023/08/04 09:58:44AM -0400, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote: | Recent Fedora systems' SSH client won't access CentOS 6 servers. | | Unable to negotiate with x.y.z.w port 22: no matching host key type | found. Their offer: ssh-rsa,ssh-dss | | (One should not still be running CentOS 6!) | | All my workstations run recent Fedora systems. How could I access this | server? | | It turns out the Windows has an SSH client these days and it isn't as | picky about ciphers as Fedora. | | It could well be that other Linux distros support older ciphers too. | | This isn't generally a good thing: those ciphers were retired due to | security concerns. | --- | Post to this mailing list talk@gtalug.org | Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
You might want to consider shellinabox as a more secure option. On Fri, Aug 4, 2023 at 10:16 AM John Sellens via talk <talk@gtalug.org> wrote:
You can often ssh from newer systems to older systems by telling ssh that it's allowed to use older options.
For example, to connect from ubuntu 22 to centos 5, my .ssh/config file has
Host centos5.example.com KexAlgorithms +diffie-hellman-group1-sha1 # ubuntu 22+ needs HostkeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa
and I left myself a reference to: https://www.openssh.com/legacy.html
Hope someone finds that helpful - cheers
John
On Fri, 2023/08/04 09:58:44AM -0400, D. Hugh Redelmeier via talk < talk@gtalug.org> wrote: | Recent Fedora systems' SSH client won't access CentOS 6 servers. | | Unable to negotiate with x.y.z.w port 22: no matching host key type | found. Their offer: ssh-rsa,ssh-dss | | (One should not still be running CentOS 6!) | | All my workstations run recent Fedora systems. How could I access this | server? | | It turns out the Windows has an SSH client these days and it isn't as | picky about ciphers as Fedora. | | It could well be that other Linux distros support older ciphers too. | | This isn't generally a good thing: those ciphers were retired due to | security concerns. | --- | Post to this mailing list talk@gtalug.org | Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
| You can often ssh from newer systems to older systems by telling ssh | that it's allowed to use older options. | | For example, to connect from ubuntu 22 to centos 5, my .ssh/config file has | | Host centos5.example.com | KexAlgorithms +diffie-hellman-group1-sha1 | # ubuntu 22+ needs | HostkeyAlgorithms +ssh-rsa | PubkeyAcceptedKeyTypes +ssh-rsa | | and I left myself a reference to: | https://www.openssh.com/legacy.html | | Hope someone finds that helpful - cheers Yup. Worked. Thanks. So many things need research, so little time for it.
On 2023-08-04 09:58, D. Hugh Redelmeier via talk wrote:
Recent Fedora systems' SSH client won't access CentOS 6 servers.
Unable to negotiate with x.y.z.w port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
(One should not still be running CentOS 6!)
All my workstations run recent Fedora systems. How could I access this server?
I ran intothis also. I have a client who has a bunch of Centos5 systems. There are also some switches that have issues requiring magical configs. An example is: Host exapmple Hostname 11.22.33.44 port 9922 PubkeyAcceptedKeyTypes=ssh-rsa,ssh-dss IdentityFile ~/.ssh/id_rsa HostkeyAlgorithms ssh-rsa user root I believe RHEL9 and possibly 8 have tightened up the ssh requirements also but I can't verify this offhand now. DSS is considered compromised so its not being accepted as a protocol. The older systems also do not accept the newer formats like id_ed25519 so if you have some public/private keys in that format you will need to force ssh to only use the rsa public key. I have some switches that require things like KexAlgorithms=diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,aes256-ctr,aes128-ctr -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On 2023-08-04 09:58, D. Hugh Redelmeier via talk wrote:
Recent Fedora systems' SSH client won't access CentOS 6 servers.
Unable to negotiate with x.y.z.w port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
I ran in to a similar situation. I used to be running Linux Mint 19.3 and recently updated to 21.3. Since upgrading I can't access a particular remote machine. I don't know what distro the remote system is using. My thanks to John Sellens for posting information about how to configure ssh so it would accept an ssh-rsa key from the remote system I'm trying to access. -- Cheers! Kevin. https://www.patreon.com/KevinCozens | "Nerds make the shiny things that | distract the mouth-breathers, and Owner of Elecraft K2 #2172 | that's why we're powerful" #include <disclaimer/favourite> | --Chris Hardwick
participants (5)
-
Alvin Starr -
Ansar Mohammed -
D. Hugh Redelmeier -
John Sellens -
Kevin Cozens