Re: Haven't seen this ssh output before
Le 27.11.2014 00:04, Harry Putnam a écrit :
Harry Putnam <email@example.com> writes:
I'm not at all clear on how one would go about making an adjustment
sshd_config to allow the algs used by my REMOTE-sol to be
REMOTE-sol does not appear to be using OpenSSH .. maybe a solaris
version of SSH.
In light of the comments above; if you have any more info on this
have the time... please post.
I managed to get a bit of a solution after careful study of the error
output and man sshd_config (Largely from being guided by your post)
It shows the default kex algorithems and the possible kex alg.
I thought of just adding one that matched the list of my clients
available choices to sshd_config on REMOTE-deb like so:
Then restart sshd.
That works, but I was afraid that might mean the defaults would be
dropped and only `diffie-hellman-group-exchange-sha1' would be
offered. I was afraid that might cause failure on some other hosts.
Thanks for sharing the solution, one might needs it someday, especially
considering the fact you are using the future debian stable.
Any opinions on what I may have created?
I'm not a security guy (not even a sysadmin, just a dev, but I am
feeling concerned with security of computers anyway...), not that I do
not want to learn about it, but it's a very complex thing. But, since
you seem to be afraid of security holes, I would like to point to a
package I have discovered recently (in a search about netBSD good
points, the author was saying that a tool listing CVEs of packages you
are trying to install was lacking on other systems, and made an edit
because someone gave him this tool's name for Debian): debsecan.
This is a tool which lists CVE (Common Vulnerabilities and Exposures)
that the packages you installed contains.
I think you might get some hints if you make a diff between the old
(you said you have un-upgraded systems) and the new (the system which
gaves you problems) systems.
Now, I can't find any CVE with it on (one of) my computer, which have
only openSSH's client installed, so it might not help you.
Security is a really complex thing, that I do not understand a lot so
the problem might not be caused by any CVE of openSSH itself, but,
AFAIK, openSSH is using libssl, which is, according to aptitude: "a part
of openSSL's implementation for SSL", and with this command:
$ debsecan |grep ssl -i
I have 2 CVEs (no idea if they apply to you btw):
CVE-2014-3566 libssl1.0.0 (remotely exploitable, medium urgency)
CVE-2014-3566 openssl (remotely exploitable, medium urgency)
Maybe your updated machine have fixed one of them?