Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HELP - can't connect to old sshd --SOLVED
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Sat Nov 14, 2015 4:25 pm    Post subject: HELP - can't connect to old sshd --SOLVED Reply with quote

Since last week's update, I am unable to connect via ssh to a machine that I do not administer:
Code:

moses ~ # ssh -Y me@xxx.yyy.zzz
Unable to negotiate with 999.999.999.999: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
moses ~ #

How do I connect to this old system with the new and "improved" openssh client?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.


Last edited by Moriah on Tue Nov 17, 2015 8:07 pm; edited 1 time in total
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sat Nov 14, 2015 4:43 pm    Post subject: Reply with quote

You have to drop down to the older ssh on your immediate machine, then log in with the old key system. Once you have logged in, update the keys to a method that the newest sshd supports, then you can update both. Search the forum and I believe there was a news item regarding keys.

I don't use keys since they go out of date when either machine reboots. Note also that root logins are no longer allowed. That's why I have masked sshd-7.0 and above.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54578
Location: 56N 3W

PostPosted: Sat Nov 14, 2015 5:03 pm    Post subject: Reply with quote

Tony0945,

Tony0945 wrote:
I don't use keys since they go out of date when either machine reboots.

Care to expand on that?
It doesn't seem to happen to me.

The host key changes every liveCD boot but only on live media.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Gentlenoob
n00b
n00b


Joined: 10 Apr 2008
Posts: 72

PostPosted: Sat Nov 14, 2015 5:55 pm    Post subject: Reply with quote

Moriah,

in my case, which looks similar but not completely identical, the following lines in my .ssh/config helped:
Code:

HostKeyAlgorithms=+ssh-dss
PubKeyAcceptedKeyTypes=+dsa

Of course you'll need different parameters instead of 'ssh-dss' and 'dsa', I guess. The man pages of ssh and ssh_config may tell you more.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sat Nov 14, 2015 6:30 pm    Post subject: Reply with quote

NeddySeagoon wrote:
Tony0945,

Tony0945 wrote:
I don't use keys since they go out of date when either machine reboots.

Care to expand on that?
It doesn't seem to happen to me.

The host key changes every liveCD boot but only on live media.


I haven't tried for a year or two, maybe three, but I would laboriously set up the keys and after rebooting I would get a message about mismatched keys when I attempted to log in via ssh. Seemed to be either computer, so I just quit. Maybe I should try again.
Back to top
View user's profile Send private message
freke
Veteran
Veteran


Joined: 23 Jan 2003
Posts: 1029
Location: Somewhere in Denmark

PostPosted: Sat Nov 14, 2015 8:24 pm    Post subject: Reply with quote

Tony0945 wrote:
Note also that root logins are no longer allowed. That's why I have masked sshd-7.0 and above.


That's just a matter of putting
Code:
PermitRootLogin yes
in /etc/ssh/sshd_config
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22697

PostPosted: Sat Nov 14, 2015 8:41 pm    Post subject: Reply with quote

freke wrote:
That's just a matter of putting
Code:
PermitRootLogin yes
in /etc/ssh/sshd_config
True, but this is usually a bad idea. If you do that, then remote users can attempt to log in as root using root's password, if password authentication is allowed. If password authentication must be allowed for normal users, you should use PermitRootLogin no or PermitRootLogin without-password to disallow root or to restrict root to key-only authentication, respectively.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Sat Nov 14, 2015 8:57 pm    Post subject: Reply with quote

My original question was about initial key exchange for a password login
This thread has been hijacked to the issue of stored keys


That's not what I asked about. I cannot login into an old machine using a password. It never even gets as far as asking for the password, because the key exchange method to encrypt my password is not the same at both ends.

Can anybody address *THAT* question?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3940
Location: Hamburg

PostPosted: Sat Nov 14, 2015 9:00 pm    Post subject: Reply with quote

So, you didn't find anything here : http://www.openssh.com/legacy.html which helps ?
(took 2 sec to google that - it is the very first entry in the hit list)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54578
Location: 56N 3W

PostPosted: Sat Nov 14, 2015 9:25 pm    Post subject: Reply with quote

Moriah,

The password is not exchanged when you use key based login.

Its an encrypted challenge and encrypted response that are exchanged.
The password you enter is used to unlock your private key so that the encrypted response can be sent.

The problem is that the two machines cannot agree on the encryption to be used for the challenge/response phases.
The remote box only offers diffie-hellman-group1-sha1.

Asking what ssh supports for key exchange gets me
Code:
$ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256@libssh.org
which is listed. Thats for
Code:
$ ssh -V
OpenSSH_7.1p1-hpn14v9, OpenSSL 1.0.2d 9 Jul 2015

What version of the ssh client do you have and what key exchange methods are supported?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Sat Nov 14, 2015 9:34 pm    Post subject: Reply with quote

Looks the same as yours:

Code:

moses ~ # ssh me@old.system.com
Unable to negotiate with 111.111.111.111: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

moses ~ # ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256@libssh.org

moses ~ # ssh -V
OpenSSH_7.1p1-hpn14v9, OpenSSL 1.0.2d 9 Jul 2015
moses ~ #

Very Strange. 8O
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sat Nov 14, 2015 10:03 pm    Post subject: Re: HELP - can't connect to old sshd Reply with quote

Moriah wrote:

moses ~ # ssh -Y me@xxx.yyy.zzz
Unable to negotiate with 999.999.999.999: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
moses ~ #

How do I connect to this old system with the new and "improved" openssh client?


No hijacking. That was your original post with bolding added. It was reasonable to assume that keys were the problem from the message and the fact that the most recent version of openssh dropped support for two key systems.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Sat Nov 14, 2015 10:50 pm    Post subject: Reply with quote

I never said it was *deliberate* hijacking, really meant the topic drifted somewhat from my original problem. I see now how it does look like it could be a key problem. I did not give enough detail. :oops:
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
freke
Veteran
Veteran


Joined: 23 Jan 2003
Posts: 1029
Location: Somewhere in Denmark

PostPosted: Tue Nov 17, 2015 7:49 pm    Post subject: Reply with quote

You have any KexAlgorithms set in sshd_config?

ie. I have
Code:
KexAlgorithms   ecdh-sha2-nistp521,ecdh-sha2-nistp384
in /etc/ssh/sshd_config to only allow stronger (I hope) keys and I get the odd
Code:
[sshd] fatal: Unable to negotiate with 212.129.6.83: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
whenever someone tries to... forcebrute using keys? my ssh-server.

Code:
ssh -Q kex
is what the client supports I believe - not what the server supports.

Also http://serverfault.com/questions/158151/sshd-shuts-down-with-no-supported-key-exchange-algorithms-error suggests it could be permissions on the key-files(or 0bytes files)? (all files are root/root on my Gentoo)
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Tue Nov 17, 2015 8:07 pm    Post subject: Reply with quote

Neddy solved this one for me. I had to specify an option to the ssh client so it would work with what the server had to offer.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54578
Location: 56N 3W

PostPosted: Tue Nov 17, 2015 8:20 pm    Post subject: Reply with quote

Moriah,

You can fix it in your ssh_config too, so you don't need the command line option.
Its your ssh client you need to fine tune.

freke suggested sshd_config, which will set the options for your sshd server.

Meanwhile, file a bug with the server operator and get them to update their sshd
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3940
Location: Hamburg

PostPosted: Tue Nov 17, 2015 8:21 pm    Post subject: Reply with quote

Moriah wrote:
Neddy solved this one for me.
great. Now just please add a "[solved]" in front of this threat title :)
TIA.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2381
Location: Kentucky

PostPosted: Tue Nov 17, 2015 9:46 pm    Post subject: Reply with quote

I added SOLVED to the title of the thread. I guess you didn't look...
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum