0

I have an issue where older clients aren't able to connect to current (v8.x) versions of openssh server. I'm familiar with adding ssh-rsa,ssh-dss to the list of available key types but that doesn't seem to work for this issue.

One of our vendors is the client and there's no option of passing flags. When they try and connect, I get the following:

Apr 16 20:57:13 server sshd[70429]: Unable to negotiate with 10.0.3.39 port 49100: no matching host key type found. Their offer: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss [preauth]

I've added the following to /etc/ssh/sshd_config.d/10-test.conf

KexAlgorithms=+diffie-hellman-group1-sha1
[email protected],[email protected],ssh-rsa,ssh-dss
PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss

As well as having no '=' but it has no effect. Here's the debug output:

[centos@ip-10-0-3-39 ~]$ ssh -vv -i test [email protected]
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.3.225 [10.0.3.225] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file test type -1
debug1: identity file test-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected]
debug2: kex_parse_kexinit: hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,[email protected]
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: [email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
debug2: kex_parse_kexinit: [email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg

Does anyone have any ideas here as I'm at a loss.

Thanks!

Improve this question
2
  • 1
    Does your sshd_config Include the .d/* files? (Not all do, and it's not default.) Does sshd_config, or .d/*, if used contain any HostKey settings, and do they include RSA and/or DSA, or does it leave the defaults (which in 8.7 does not include DSA)? Do the configured or defaulted RSA and/or DSA files exist and have correct permissions and contain valid readable keys?
    – dave_thompson_085
    Commented Apr 17 at 0:55
  • You do know that this is CentOS 6, which has no security support, and it also does not support any secure signature algorithms (all of them use SHA-1, which is absolutely insecure). Are you sure you want such an insecure system to log into your machine?
    – bk2204
    Commented Apr 18 at 0:26

1 Answer 1

Reset to default
0

First try on CLI, with various options

ssh -vv -A -t -oHostKeyAlgorithms=+ssh-dss [email protected]

then update the ssh_config file accordingly

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .