From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 6722 invoked by alias); 15 Sep 2015 21:59:33 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 6712 invoked by uid 89); 15 Sep 2015 21:59:33 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.4 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mail-wi0-f194.google.com Received: from mail-wi0-f194.google.com (HELO mail-wi0-f194.google.com) (209.85.212.194) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256 encrypted) ESMTPS; Tue, 15 Sep 2015 21:59:30 +0000 Received: by wicxq10 with SMTP id xq10so7626956wic.2 for ; Tue, 15 Sep 2015 14:59:27 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.194.9.42 with SMTP id w10mr11753162wja.146.1442354367413; Tue, 15 Sep 2015 14:59:27 -0700 (PDT) Received: by 10.194.13.70 with HTTP; Tue, 15 Sep 2015 14:59:27 -0700 (PDT) Date: Tue, 15 Sep 2015 21:59:00 -0000 Message-ID: Subject: problem with ~/.ssh/config ? From: Lee To: cygwin@cygwin.com Content-Type: text/plain; charset=UTF-8 X-IsSubscribed: yes X-SW-Source: 2015-09/txt/msg00246.txt.bz2 OpenSSH 7.0 defaults to no support for diffie-hellman-group1-sha1 key exchange which is a problem with certain devices: $ ssh 10.10.3.5 Unable to negotiate with 10.10.3.5: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 http://www.openssh.com/legacy.html has two work-arounds: 1. add "-oKexAlgorithms=+diffie-hellman-group1-sha1" to the ssh command -- which works for me 2. add "Host * KexAlgorithms +diffie-hellman-group1-sha1" to ~/.ssh/config -- which does not work for me What's the trick for getting the KexAlgorithms param in ~/.ssh/config to work? $ cat ~/.ssh/config # ssh common params # Protocol 2,1 # ??? still need version 1 compatability ??? # IOS devices running "Remote protocol version 1.99, remote software version Cisco-1.25" # only do diffie-hellman-group1-sha1 for key exchange & OpenSSH 7.0 has it disabled by default. # re-enable & add to the end of the list: Host * KexAlgorithms +diffie-hellman-group1-sha1 ServerAliveInterval 40 # Sets a timeout interval in seconds after which if no data has # been received from the server, ssh(1) will send a message through # the encrypted channel to request a response from the server. ServerAliveCountMax 6 # Sets the number of server alive messages which may be # sent without ssh(1) receiving any messages back from the server. # If this threshold is reached while server alive messages are # being sent, ssh will disconnect from the server, terminating the # session. TCPKeepAlive yes # Specifies whether the system should send TCP keepalive messages # to the other side. If they are sent, death of the connection or # crash of one of the machines will be properly noticed. However, # this means that connections will die if the route is down temporarily, # and some people find it annoying. ~ add "-o" on command line: works $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -G 10.10.3.5 | grep -i kex kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 "host * KexAlgorithms" in .ssh/config does not work: $ ssh -G 10.10.3.5 | grep -i kex kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 if it helps any, ssh with the -v option: $ ssh -v 10.10.3.5 OpenSSH_7.0p1, OpenSSL 1.0.2d 9 Jul 2015 debug1: Reading configuration data /home/Lee/.ssh/config debug1: /home/Lee/.ssh/config line 9: Applying options for * debug1: Connecting to 10.10.3.5 [10.10.3.5] port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /home/Lee/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/Lee/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/Lee/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/Lee/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/Lee/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/Lee/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/Lee/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/Lee/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.0 debug1: Remote protocol version 2.0, remote software version Cisco-1.25 debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000 debug1: Authenticating to 10.10.3.5:22 as 'Lee' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-sha1 none debug1: kex: client->server aes128-cbc hmac-sha1 none Unable to negotiate with 10.10.3.5: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 TIA, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple