On 2021-11-07 16:58, Nick Popoff wrote:
Now I Am having severe problem with 'ssh'. A simple login command like:
Ssh n...@....com <mailto:n...@....com>
Results in the following response:
C:/cygwin64/home/Nick> ssh host.com
Unable to negotiate with <IP> port 22: no matching key exchange method
found. Their offer:
gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
This is a fresh install of Cygwin on a clean Windows 11. I went back to 3.2
for now as I cannot work with 3.3.1. > In other words, the 3.3.1 ssh.exe does
not accept legacy kex
algorithms at all, no matter what. I no longer can log in to
Solaris. For example, it DOES NOT accept the following: > ssh.exe -o KexAlgorithms=+diffie-hellman-group14-sha1 n...@host.com>
Unable to negotiate with 50.248.140.9 port 22: no matching host key
type found. Their offer: ssh-rsa,ssh-dss > Version 3.2 had no problem with legacy algorithms. Can somebody
explain as
to what is going on here. Is it a bug? Or a deliberate break of
compatibility?
Cygwin release has little to do with the independent package releases,
in your case openssh which contains the ssh utilities.
Which platform and releases of SSH and SSL are you running in your PATH:
$ which -a ssh
/usr/bin/ssh
/cygdrive/c/WINDOWS/System32/OpenSSH/ssh
$ ssh -V # You may well be running Cygwin OpenSSL 1.1.1l
OpenSSH_8.8p1, OpenSSL 1.1.1k 25 Mar 2021
$ /cygdrive/c/WINDOWS/System32/OpenSSH/ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
If you are running Cygwin OpenSSH 8.2 or later, the announcement last
year warns that all certain algorithms are now disabled by default, and
how they may be re-enabled until other systems get upgraded:
https://cygwin.com/pipermail/cygwin-announce/2020-February/009407.html
"openssh 8.2p1-1
...
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
CASignatureAlgorithms list.
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
from the default key exchange proposal for both the client and
server.
* ssh-keygen(1): the command-line options related to the generation
and screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have
changed. Most options have been folded under the -O flag.
..."
The more recent OpenSSH 8.8 announcement disables RSA signatures using
SHA1 algorithms but has an example showing how you may re-enable
deprecated algorithms for specific hosts:
https://cygwin.com/pipermail/cygwin-announce/2021-October/010257.html
"openssh 8.8p1-1
...
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K
...
~/.ssh/config
...
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
..."
so for your legacy host you may also wish to add entries like:
Host solaris-host.com
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
KexAlgorithms +diffie-hellman-group14-sha1
Each OpenSSH announcement also includes the section:
"...
Future deprecation notice
=========================
..."
which should be read by everyone using ssh for any purpose.
Of note is that scp will be upgraded to use SFTP in future instead of
the legacy protocol.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
