On 2025-01-11, Vagrant Cascadian wrote: > On 2025-01-11, Vagrant Cascadian wrote: >> On 2023-04-06, John Scott wrote: >>> It seems bugs #998728, 1008573, and #1032907 are all the same. Perhaps >>> the maintainers would like to merge them. >>> >>> Thanks for your workaround, Vagrant; I found that adding >>> KexAlgorithms -sntrup761x25519-sha...@openssh.com >>> to my ~/.ssh/config allows me to connect to a Bookworm machine, from >>> Bookworm, and also to hosts running a newer OpenSSH daemon. >> >> With the recent update of openssh in bookworm (1:9.2p1-2+deb12u4) this >> no longer seems a sufficient workaround; I can no longer ssh in to >> machines running this version of openssh. >> >> My hunch is the problem was introduced in a new and exciting way with: >> >> https://bugs.debian.org/1088873 >> openssh: please add sntrup761x25519-sha512 as an alias to >> sntrup761x25519-sha...@openssh.com in 9.2/Bookworm >> >> Specifying both in ~/.ssh/config does not work around the issue for me: >> >> KexAlgorithms -sntrup761x25519-sha...@openssh.com,-sntrup761x25519-sha512 > > I just confirmed that downgrading to openssh-server 1:9.2p1-2+deb12u3 > does work again on at least one machine.
Ok, through trial and error, looping through all the algoritms: bad diffie-hellman-group1-sha1 bad diffie-hellman-group14-sha1 good diffie-hellman-group14-sha256 bad diffie-hellman-group16-sha512 bad diffie-hellman-group18-sha512 bad diffie-hellman-group-exchange-sha1 good diffie-hellman-group-exchange-sha256 good ecdh-sha2-nistp256 good ecdh-sha2-nistp384 bad ecdh-sha2-nistp521 good curve25519-sha256 good curve25519-sha...@libssh.org bad sntrup761x25519-sha512 bad sntrup761x25519-sha...@openssh.com The sha1 ones were not supported on the server side, so no surprise there. Looks like all the nistp384 and sha512 all fail. At least that leaves me with a viable workaround again... live well, vagrant
signature.asc
Description: PGP signature
