* problem with ~/.ssh/config ?
@ 2015-09-15 21:59 Lee
2015-09-16 0:45 ` John Hein
0 siblings, 1 reply; 3+ messages in thread
From: Lee @ 2015-09-15 21:59 UTC (permalink / raw)
To: cygwin
OpenSSH 7.0 defaults to no support for diffie-hellman-group1-sha1 key
exchange which is a problem with certain devices:
$ ssh 10.10.3.5
Unable to negotiate with 10.10.3.5: no matching key exchange method
found. Their offer: diffie-hellman-group1-sha1
http://www.openssh.com/legacy.html has two work-arounds:
1. add "-oKexAlgorithms=+diffie-hellman-group1-sha1" to the ssh
command -- which works for me
2. add "Host * KexAlgorithms +diffie-hellman-group1-sha1" to
~/.ssh/config -- which does not work for me
What's the trick for getting the KexAlgorithms param in ~/.ssh/config to work?
$ cat ~/.ssh/config
# ssh common params
# Protocol 2,1
# ??? still need version 1 compatability ???
# IOS devices running "Remote protocol version 1.99, remote software
version Cisco-1.25"
# only do diffie-hellman-group1-sha1 for key exchange & OpenSSH 7.0
has it disabled by default.
# re-enable & add to the end of the list:
Host * KexAlgorithms +diffie-hellman-group1-sha1
ServerAliveInterval 40
# Sets a timeout interval in seconds after which if no data has
# been received from the server, ssh(1) will send a message through
# the encrypted channel to request a response from the server.
ServerAliveCountMax 6
# Sets the number of server alive messages which may be
# sent without ssh(1) receiving any messages back from the server.
# If this threshold is reached while server alive messages are
# being sent, ssh will disconnect from the server, terminating the
# session.
TCPKeepAlive yes
# Specifies whether the system should send TCP keepalive messages
# to the other side. If they are sent, death of the connection or
# crash of one of the machines will be properly noticed. However,
# this means that connections will die if the route is down temporarily,
# and some people find it annoying.
~
add "-o" on command line: works
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -G 10.10.3.5 | grep -i kex
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
"host * KexAlgorithms" in .ssh/config does not work:
$ ssh -G 10.10.3.5 | grep -i kex
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
if it helps any, ssh with the -v option:
$ ssh -v 10.10.3.5
OpenSSH_7.0p1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /home/Lee/.ssh/config
debug1: /home/Lee/.ssh/config line 9: Applying options for *
debug1: Connecting to 10.10.3.5 [10.10.3.5] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Lee/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.0
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to 10.10.3.5:22 as 'Lee'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
Unable to negotiate with 10.10.3.5: no matching key exchange method
found. Their offer: diffie-hellman-group1-sha1
TIA,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: problem with ~/.ssh/config ?
2015-09-15 21:59 problem with ~/.ssh/config ? Lee
@ 2015-09-16 0:45 ` John Hein
2015-09-16 1:14 ` Lee
0 siblings, 1 reply; 3+ messages in thread
From: John Hein @ 2015-09-16 0:45 UTC (permalink / raw)
To: cygwin
Lee wrote at 17:59 -0400 on Sep 15, 2015:
> OpenSSH 7.0 defaults to no support for diffie-hellman-group1-sha1 key
> exchange which is a problem with certain devices:
>
> $ ssh 10.10.3.5
> Unable to negotiate with 10.10.3.5: no matching key exchange method
> found. Their offer: diffie-hellman-group1-sha1
>
> http://www.openssh.com/legacy.html has two work-arounds:
> 1. add "-oKexAlgorithms=+diffie-hellman-group1-sha1" to the ssh
> command -- which works for me
> 2. add "Host * KexAlgorithms +diffie-hellman-group1-sha1" to
> ~/.ssh/config -- which does not work for me
>
> What's the trick for getting the KexAlgorithms param in ~/.ssh/config to work?
>
> $ cat ~/.ssh/config
.
.
> # IOS devices running "Remote protocol version 1.99, remote software
> version Cisco-1.25"
> # only do diffie-hellman-group1-sha1 for key exchange & OpenSSH 7.0
> has it disabled by default.
> # re-enable & add to the end of the list:
> Host * KexAlgorithms +diffie-hellman-group1-sha1
.
.
The trick is a newline. Host entry on one line, config settings
on lines below it.
Not a cygwin question.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: problem with ~/.ssh/config ?
2015-09-16 0:45 ` John Hein
@ 2015-09-16 1:14 ` Lee
0 siblings, 0 replies; 3+ messages in thread
From: Lee @ 2015-09-16 1:14 UTC (permalink / raw)
To: cygwin
On 9/15/15, John Hein <3fbmqnhaz4@snkmail.com> wrote:
> Lee wrote at 17:59 -0400 on Sep 15, 2015:
> > OpenSSH 7.0 defaults to no support for diffie-hellman-group1-sha1 key
> > exchange which is a problem with certain devices:
> >
> > $ ssh 10.10.3.5
> > Unable to negotiate with 10.10.3.5: no matching key exchange method
> > found. Their offer: diffie-hellman-group1-sha1
> >
> > http://www.openssh.com/legacy.html has two work-arounds:
> > 1. add "-oKexAlgorithms=+diffie-hellman-group1-sha1" to the ssh
> > command -- which works for me
> > 2. add "Host * KexAlgorithms +diffie-hellman-group1-sha1" to
> > ~/.ssh/config -- which does not work for me
> >
> > What's the trick for getting the KexAlgorithms param in ~/.ssh/config to
> work?
> >
> > $ cat ~/.ssh/config
> > Host * KexAlgorithms +diffie-hellman-group1-sha1
> .
> The trick is a newline. Host entry on one line, config settings
> on lines below it.
yup - that was it. Thank you!!
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-09-16 1:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-15 21:59 problem with ~/.ssh/config ? Lee
2015-09-16 0:45 ` John Hein
2015-09-16 1:14 ` Lee
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).