From: Lee <ler762@gmail.com>
To: cygwin@cygwin.com
Subject: problem with ~/.ssh/config ?
Date: Tue, 15 Sep 2015 21:59:00 -0000 [thread overview]
Message-ID: <CAD8GWsvMTrzmJZhp2DQtfKNk6bpNAVSL1N1uYN5YVyHLqJ4yOw@mail.gmail.com> (raw)
OpenSSH 7.0 defaults to no support for diffie-hellman-group1-sha1 key
exchange which is a problem with certain devices:
$ ssh 10.10.3.5
Unable to negotiate with 10.10.3.5: no matching key exchange method
found. Their offer: diffie-hellman-group1-sha1
http://www.openssh.com/legacy.html has two work-arounds:
1. add "-oKexAlgorithms=+diffie-hellman-group1-sha1" to the ssh
command -- which works for me
2. add "Host * KexAlgorithms +diffie-hellman-group1-sha1" to
~/.ssh/config -- which does not work for me
What's the trick for getting the KexAlgorithms param in ~/.ssh/config to work?
$ cat ~/.ssh/config
# ssh common params
# Protocol 2,1
# ??? still need version 1 compatability ???
# IOS devices running "Remote protocol version 1.99, remote software
version Cisco-1.25"
# only do diffie-hellman-group1-sha1 for key exchange & OpenSSH 7.0
has it disabled by default.
# re-enable & add to the end of the list:
Host * KexAlgorithms +diffie-hellman-group1-sha1
ServerAliveInterval 40
# Sets a timeout interval in seconds after which if no data has
# been received from the server, ssh(1) will send a message through
# the encrypted channel to request a response from the server.
ServerAliveCountMax 6
# Sets the number of server alive messages which may be
# sent without ssh(1) receiving any messages back from the server.
# If this threshold is reached while server alive messages are
# being sent, ssh will disconnect from the server, terminating the
# session.
TCPKeepAlive yes
# Specifies whether the system should send TCP keepalive messages
# to the other side. If they are sent, death of the connection or
# crash of one of the machines will be properly noticed. However,
# this means that connections will die if the route is down temporarily,
# and some people find it annoying.
~
add "-o" on command line: works
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -G 10.10.3.5 | grep -i kex
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
"host * KexAlgorithms" in .ssh/config does not work:
$ ssh -G 10.10.3.5 | grep -i kex
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
if it helps any, ssh with the -v option:
$ ssh -v 10.10.3.5
OpenSSH_7.0p1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /home/Lee/.ssh/config
debug1: /home/Lee/.ssh/config line 9: Applying options for *
debug1: Connecting to 10.10.3.5 [10.10.3.5] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.0
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to 10.10.3.5:22 as 'Lee'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
Unable to negotiate with 10.10.3.5: no matching key exchange method
found. Their offer: diffie-hellman-group1-sha1
TIA,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next reply other threads:[~2015-09-15 21:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-15 21:59 Lee [this message]
2015-09-16 0:45 ` John Hein
2015-09-16 1:14 ` Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD8GWsvMTrzmJZhp2DQtfKNk6bpNAVSL1N1uYN5YVyHLqJ4yOw@mail.gmail.com \
--to=ler762@gmail.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).