From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.9]) by sourceware.org (Postfix) with ESMTPS id 25150384B104 for ; Mon, 20 Apr 2020 14:54:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 25150384B104 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca Received: from [192.168.1.104] ([24.64.172.44]) by shaw.ca with ESMTP id QXoFjmeglng7KQXoGj5l7G; Mon, 20 Apr 2020 08:54:08 -0600 X-Authority-Analysis: v=2.3 cv=ecemg4MH c=1 sm=1 tr=0 a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 a=IkcTkHD0fZMA:10 a=HU1OPnRnAAAA:8 a=QWgh4cG91-Rk6s4hAfsA:9 a=QEXdDO2ut3YA:10 a=P3yLNOpNF_cA:10 a=8nfKT-2EcRIA:10 a=vQ5cN67eHy2kcvnFvKcb:22 Reply-To: cygwin@cygwin.com Subject: Re: latest openssh can not connect to older server To: cygwin@cygwin.com References: <81bb8ed0-e552-fa06-70c6-c587fa3e9b5c@towo.net> From: Brian Inglis Autocrypt: addr=Brian.Inglis@SystematicSw.ab.ca; prefer-encrypt=mutual; keydata= mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5 RSyTY8X+AQ== Organization: Systematic Software Message-ID: Date: Mon, 20 Apr 2020 08:54:03 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <81bb8ed0-e552-fa06-70c6-c587fa3e9b5c@towo.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-CA Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4wfPQMjeqqF7O+3jqgFGWVXgDQEZApaK0yjVJjPX/UFOFX96cjbONc/+aMOBAUopRYhWY5ZNdWuwzyl1Q0gm+mjk7g0i9N/Sk+CfGk/x1QRnK4QQU1lapU GXeV4C3r6v/OEUJUQrpp3j5XvBtxa3nzA8QuTlh1+OoiP+4oEiWMOW9leOzphrok/Vo9k/eaeN6M6w== X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Apr 2020 14:54:12 -0000 On 2020-04-20 04:11, Thomas Wolff wrote: > Am 19.04.2020 um 14:31 schrieb Sharuzzaman Ahmat Raslan via Cygwin: >> On Sun, 19 Apr 2020, 8:13 pm David Balažic via Cygwin, wrote: >>> I tried to backup some files from my server with scp and failed: >>> $ scp  -v  root@the.server:/root/a.file  . >>> Executing: program /usr/bin/ssh host the.server, user root, command >>> scp -v -f /root/a.file >>> OpenSSH_8.2p1, OpenSSL 1.1.1f  31 Mar 2020 >>> debug1: Connecting to the.server [192.168.1.11] port 22. >>> debug1: Connection established. >>> debug1: identity file /home/stein/.ssh/id_rsa type -1 >>> debug1: identity file /home/stein/.ssh/id_rsa-cert type -1 >>> debug1: identity file /home/stein/.ssh/id_dsa type -1 >>> debug1: identity file /home/stein/.ssh/id_dsa-cert type -1 >>> debug1: identity file /home/stein/.ssh/id_ecdsa type -1 >>> debug1: identity file /home/stein/.ssh/id_ecdsa-cert type -1 >>> debug1: identity file /home/stein/.ssh/id_ecdsa_sk type -1 >>> debug1: identity file /home/stein/.ssh/id_ecdsa_sk-cert type -1 >>> debug1: identity file /home/stein/.ssh/id_ed25519 type -1 >>> debug1: identity file /home/stein/.ssh/id_ed25519-cert type -1 >>> debug1: identity file /home/stein/.ssh/id_ed25519_sk type -1 >>> debug1: identity file /home/stein/.ssh/id_ed25519_sk-cert type -1 >>> debug1: identity file /home/stein/.ssh/id_xmss type -1 >>> debug1: identity file /home/stein/.ssh/id_xmss-cert type -1 >>> debug1: Local version string SSH-2.0-OpenSSH_8.2 >>> debug1: Remote protocol version 2.0, remote software version >>> dropbear_2011.54 >>> debug1: no match: dropbear_2011.54 >>> debug1: Authenticating to the.server:22 as 'root' >>> debug1: SSH2_MSG_KEXINIT sent >>> debug1: SSH2_MSG_KEXINIT received >>> debug1: kex: algorithm: (no match) >>> Unable to negotiate with 192.168.1.11 port 22: no matching key >>> exchange method found. Their offer: >>> diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 >>> I tried OpenSSH_8.0p1-2 which is still available in the cygwin >>> setup-x86_64.exe wizard and that version works fine. >>> (the version above is 8.2.p1-1 in the setup wizard) >> New OpenSSH client will not connect to server that use SHA1. >> Please refer to this: https://www.openssh.com/legacy.html >> You should configure your old server to use more modern cipher > This isn't always a feasible approach. I access a WD MybookLive NAS storage > via ssh. It still works with current openssh (8.2) but I wouldn't know how to > find out the methods supported by my server and wouldn't like to risk the > adventure to upgrade such a device. Therefore I'd suggest to configure in > "legacy" methods in the cygwin openssh package as mentioned under the link > above, to avoid such trouble. Many corps maintain legacy applications on legacy systems using legacy devices, and not everyone can afford (especially nowadays) the money or the effort or the expertise, nor should they ever be forced (remember freedom) to upgrade legacy devices, systems, or applications, as the vendor and/or code may be long gone. When browsers and security libraries decided to incompatibly totally drop all support for legacy SSL, rather than make continued use configurable on a per site basis, I had to quickly reconfigure my recently purchased (and still CVE free) router to downgrade from HTTPS to HTTP local port access to be able to continue having access to it. I could perhaps have tried to keep a legacy copy of some browser around, but parallel releases are unsupported, and package upgrades try hard to ensure old releases are eliminated. [ToWo: From WD support, your NAS is EoL and unsupported, and the forums indicate you may have a bigger problem (soon?) as Windows appears to be dropping support for SMB1 required to access your NAS. For OpenSSH, your best approach may be to get sources for it and its library dependencies, and ensure that you can build them with cygport, so if all support is dropped from OpenSSH as I would expect, you still have access. The advantage of freedom!] -- -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised.