From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) by sourceware.org (Postfix) with ESMTPS id 790C93858401 for ; Mon, 8 Nov 2021 05:04:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 790C93858401 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=systematicsw.ab.ca Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTP id jfopm4cB1ps7PjwplmTovH; Mon, 08 Nov 2021 05:04:41 +0000 Received: from [192.168.1.105] ([68.147.0.90]) by cmsmtp with ESMTP id jwpkmHptUFXD3jwpkmOcQs; Mon, 08 Nov 2021 05:04:41 +0000 X-Authority-Analysis: v=2.4 cv=P+4pOwMu c=1 sm=1 tr=0 ts=6188afe9 a=T+ovY1NZ+FAi/xYICV7Bgg==:117 a=T+ovY1NZ+FAi/xYICV7Bgg==:17 a=IkcTkHD0fZMA:10 a=ZO_AHefkAAAA:8 a=w_pzkKWiAAAA:8 a=Jgg1ptHRAAAA:8 a=TImcKGuyeGIbufSLrCcA:9 a=QEXdDO2ut3YA:10 a=1IxSaLXxkGYA:10 a=pFWwjSa0iIoA:10 a=WDHEmAT1HsQJqKshFdZ4:22 a=sRI3_1zDfAgwuvI8zelB:22 a=4mgyOzJUegitewK6Gv8e:22 Message-ID: <846d44e8-6b8d-456e-aab2-86d81eb1d323@SystematicSw.ab.ca> Date: Sun, 7 Nov 2021 22:04:40 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0 Reply-To: cygwin@cygwin.com Subject: Re: Problem with OpenSSH Content-Language: en-CA To: cygwin@cygwin.com References: <004701d7d433$5f9415c0$1ebc4140$@nickpopoff.net> From: Brian Inglis Organization: Systematic Software In-Reply-To: <004701d7d433$5f9415c0$1ebc4140$@nickpopoff.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4xfMcLdn1rmAjOPhEs1SPaGu6GW+GijnL54okHqlcbG+C2DRVB7CtJvBwFMofbu17cUKGqPs/4xlULZFJEhhFoQNFw3GwdBy2GqFt6qZnRj7tZLE8WFxbL OL1q+hMOySimQ2yMTIk9kQWKIweMWt4LCqCmdePozmDevprJaiqyb6aPjRGT5Ny2zuP4wccW+sgk5+qBWqkpPatELSPW3ZVRZq+k1e2hZuW8/uDL0CU3LSeO X-Spam-Status: No, score=-1165.8 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2021 05:04:43 -0000 On 2021-11-07 16:58, Nick Popoff wrote: > Now I Am having severe problem with 'ssh'. A simple login command like: > Ssh nick@....com > Results in the following response: > C:/cygwin64/home/Nick> ssh host.com > Unable to negotiate with port 22: no matching key exchange method > found. Their offer: > gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1, > diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > This is a fresh install of Cygwin on a clean Windows 11. I went back to 3.2 > for now as I cannot work with 3.3.1. > In other words, the 3.3.1 ssh.exe does not accept legacy kex > algorithms at all, no matter what. I no longer can log in to > Solaris. For example, it DOES NOT accept the following: > ssh.exe -o KexAlgorithms=+diffie-hellman-group14-sha1 nick@host.com> Unable to negotiate with 50.248.140.9 port 22: no matching host key > type found. Their offer: ssh-rsa,ssh-dss > Version 3.2 had no problem with legacy algorithms. Can somebody explain as > to what is going on here. Is it a bug? Or a deliberate break of > compatibility? Cygwin release has little to do with the independent package releases, in your case openssh which contains the ssh utilities. Which platform and releases of SSH and SSL are you running in your PATH: $ which -a ssh /usr/bin/ssh /cygdrive/c/WINDOWS/System32/OpenSSH/ssh $ ssh -V # You may well be running Cygwin OpenSSL 1.1.1l OpenSSH_8.8p1, OpenSSL 1.1.1k 25 Mar 2021 $ /cygdrive/c/WINDOWS/System32/OpenSSH/ssh -V OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 If you are running Cygwin OpenSSH 8.2 or later, the announcement last year warns that all certain algorithms are now disabled by default, and how they may be re-enabled until other systems get upgraded: https://cygwin.com/pipermail/cygwin-announce/2020-February/009407.html "openssh 8.2p1-1 ... Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted CASignatureAlgorithms list. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. ..." The more recent OpenSSH 8.8 announcement disables RSA signatures using SHA1 algorithms but has an example showing how you may re-enable deprecated algorithms for specific hosts: https://cygwin.com/pipermail/cygwin-announce/2021-October/010257.html "openssh 8.8p1-1 ... Potentially-incompatible changes ================================ This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for