Re: Haven't seen this ssh output before
Harry Putnam <reader@newsguy.com> writes:
> I'm not at all clear on how one would go about making an adjustment in
> sshd_config to allow the algs used by my REMOTE-sol to be recognized.
>
> REMOTE-sol does not appear to be using OpenSSH .. maybe a solaris
> version of SSH.
>
> In light of the comments above; if you have any more info on this and
> have the time... please post.
I managed to get a bit of a solution after careful study of the error
output and man sshd_config (Largely from being guided by your post)
It shows the default kex algorithems and the possible kex alg.
I thought of just adding one that matched the list of my clients
available choices to sshd_config on REMOTE-deb like so:
KexAlgorithms diffie-hellman-group-exchange-sha1
Then restart sshd.
That works, but I was afraid that might mean the defaults would be
dropped and only `diffie-hellman-group-exchange-sha1' would be
offered. I was afraid that might cause failure on some other hosts.
It was not clear to me from `man sshd_config' just how exactly to do
this.
I finally opted for listing all the defaults +
diffie-hellman-group-exchange-sha1
Like this (in REMOTE-deb /etc/ssh/sshd_config):
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
That also works.
Now, since debian chose to follow the new upstream sshd defaults and
limits due to `UNSAFE' alg. I'm wondering if by adding one of those
discarded algs back in there... I may be creating a security hole.
The REMOTE-deb host is exposed to ssh via the internet... not just
through the lan.
Any opinions on what I may have created?
Reply to: