View previous topic :: View next topic |
Author |
Message |
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Sat Nov 14, 2015 4:25 pm Post subject: HELP - can't connect to old sshd --SOLVED |
|
|
Since last week's update, I am unable to connect via ssh to a machine that I do not administer:
Code: |
moses ~ # ssh -Y me@xxx.yyy.zzz
Unable to negotiate with 999.999.999.999: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
moses ~ #
|
How do I connect to this old system with the new and "improved" openssh client? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character.
Last edited by Moriah on Tue Nov 17, 2015 8:07 pm; edited 1 time in total |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Nov 14, 2015 4:43 pm Post subject: |
|
|
You have to drop down to the older ssh on your immediate machine, then log in with the old key system. Once you have logged in, update the keys to a method that the newest sshd supports, then you can update both. Search the forum and I believe there was a news item regarding keys.
I don't use keys since they go out of date when either machine reboots. Note also that root logins are no longer allowed. That's why I have masked sshd-7.0 and above. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Sat Nov 14, 2015 5:03 pm Post subject: |
|
|
Tony0945,
Tony0945 wrote: | I don't use keys since they go out of date when either machine reboots. |
Care to expand on that?
It doesn't seem to happen to me.
The host key changes every liveCD boot but only on live media. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Gentlenoob n00b
Joined: 10 Apr 2008 Posts: 72
|
Posted: Sat Nov 14, 2015 5:55 pm Post subject: |
|
|
Moriah,
in my case, which looks similar but not completely identical, the following lines in my .ssh/config helped:
Code: |
HostKeyAlgorithms=+ssh-dss
PubKeyAcceptedKeyTypes=+dsa
|
Of course you'll need different parameters instead of 'ssh-dss' and 'dsa', I guess. The man pages of ssh and ssh_config may tell you more. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Nov 14, 2015 6:30 pm Post subject: |
|
|
NeddySeagoon wrote: | Tony0945,
Tony0945 wrote: | I don't use keys since they go out of date when either machine reboots. |
Care to expand on that?
It doesn't seem to happen to me.
The host key changes every liveCD boot but only on live media. |
I haven't tried for a year or two, maybe three, but I would laboriously set up the keys and after rebooting I would get a message about mismatched keys when I attempted to log in via ssh. Seemed to be either computer, so I just quit. Maybe I should try again. |
|
Back to top |
|
|
freke Veteran
Joined: 23 Jan 2003 Posts: 1029 Location: Somewhere in Denmark
|
Posted: Sat Nov 14, 2015 8:24 pm Post subject: |
|
|
Tony0945 wrote: | Note also that root logins are no longer allowed. That's why I have masked sshd-7.0 and above. |
That's just a matter of putting Code: | PermitRootLogin yes | in /etc/ssh/sshd_config |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22697
|
Posted: Sat Nov 14, 2015 8:41 pm Post subject: |
|
|
freke wrote: | That's just a matter of putting Code: | PermitRootLogin yes | in /etc/ssh/sshd_config | True, but this is usually a bad idea. If you do that, then remote users can attempt to log in as root using root's password, if password authentication is allowed. If password authentication must be allowed for normal users, you should use PermitRootLogin no or PermitRootLogin without-password to disallow root or to restrict root to key-only authentication, respectively. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Sat Nov 14, 2015 8:57 pm Post subject: |
|
|
My original question was about initial key exchange for a password login
This thread has been hijacked to the issue of stored keys
That's not what I asked about. I cannot login into an old machine using a password. It never even gets as far as asking for the password, because the key exchange method to encrypt my password is not the same at both ends.
Can anybody address *THAT* question? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3940 Location: Hamburg
|
Posted: Sat Nov 14, 2015 9:00 pm Post subject: |
|
|
So, you didn't find anything here : http://www.openssh.com/legacy.html which helps ?
(took 2 sec to google that - it is the very first entry in the hit list) |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Sat Nov 14, 2015 9:25 pm Post subject: |
|
|
Moriah,
The password is not exchanged when you use key based login.
Its an encrypted challenge and encrypted response that are exchanged.
The password you enter is used to unlock your private key so that the encrypted response can be sent.
The problem is that the two machines cannot agree on the encryption to be used for the challenge/response phases.
The remote box only offers diffie-hellman-group1-sha1.
Asking what ssh supports for key exchange gets me
Code: | $ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256@libssh.org | which is listed. Thats for
Code: | $ ssh -V
OpenSSH_7.1p1-hpn14v9, OpenSSL 1.0.2d 9 Jul 2015 |
What version of the ssh client do you have and what key exchange methods are supported? _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Sat Nov 14, 2015 9:34 pm Post subject: |
|
|
Looks the same as yours:
Code: |
moses ~ # ssh me@old.system.com
Unable to negotiate with 111.111.111.111: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
moses ~ # ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256@libssh.org
moses ~ # ssh -V
OpenSSH_7.1p1-hpn14v9, OpenSSL 1.0.2d 9 Jul 2015
moses ~ #
|
Very Strange. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Nov 14, 2015 10:03 pm Post subject: Re: HELP - can't connect to old sshd |
|
|
Moriah wrote: |
moses ~ # ssh -Y me@xxx.yyy.zzz
Unable to negotiate with 999.999.999.999: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
moses ~ #
How do I connect to this old system with the new and "improved" openssh client? |
No hijacking. That was your original post with bolding added. It was reasonable to assume that keys were the problem from the message and the fact that the most recent version of openssh dropped support for two key systems. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Sat Nov 14, 2015 10:50 pm Post subject: |
|
|
I never said it was *deliberate* hijacking, really meant the topic drifted somewhat from my original problem. I see now how it does look like it could be a key problem. I did not give enough detail. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
freke Veteran
Joined: 23 Jan 2003 Posts: 1029 Location: Somewhere in Denmark
|
Posted: Tue Nov 17, 2015 7:49 pm Post subject: |
|
|
You have any KexAlgorithms set in sshd_config?
ie. I have Code: | KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384 | in /etc/ssh/sshd_config to only allow stronger (I hope) keys and I get the odd Code: | [sshd] fatal: Unable to negotiate with 212.129.6.83: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth] | whenever someone tries to... forcebrute using keys? my ssh-server.
is what the client supports I believe - not what the server supports.
Also http://serverfault.com/questions/158151/sshd-shuts-down-with-no-supported-key-exchange-algorithms-error suggests it could be permissions on the key-files(or 0bytes files)? (all files are root/root on my Gentoo) |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Tue Nov 17, 2015 8:07 pm Post subject: |
|
|
Neddy solved this one for me. I had to specify an option to the ssh client so it would work with what the server had to offer. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Tue Nov 17, 2015 8:20 pm Post subject: |
|
|
Moriah,
You can fix it in your ssh_config too, so you don't need the command line option.
Its your ssh client you need to fine tune.
freke suggested sshd_config, which will set the options for your sshd server.
Meanwhile, file a bug with the server operator and get them to update their sshd _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3940 Location: Hamburg
|
Posted: Tue Nov 17, 2015 8:21 pm Post subject: |
|
|
Moriah wrote: | Neddy solved this one for me. | great. Now just please add a "[solved]" in front of this threat title
TIA. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Tue Nov 17, 2015 9:46 pm Post subject: |
|
|
I added SOLVED to the title of the thread. I guess you didn't look... _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
|