| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.1 sourceware.org 790C93858401 |
| Authentication-Results: | sourceware.org; dmarc=none (p=none dis=none) |
| header.from=SystematicSw.ab.ca | |
| Authentication-Results: | sourceware.org; |
| spf=none smtp.mailfrom=systematicsw.ab.ca | |
| X-Authority-Analysis: | v=2.4 cv=P+4pOwMu c=1 sm=1 tr=0 ts=6188afe9 |
| a=T+ovY1NZ+FAi/xYICV7Bgg==:117 a=T+ovY1NZ+FAi/xYICV7Bgg==:17 | |
| a=IkcTkHD0fZMA:10 a=ZO_AHefkAAAA:8 a=w_pzkKWiAAAA:8 a=Jgg1ptHRAAAA:8 | |
| a=TImcKGuyeGIbufSLrCcA:9 a=QEXdDO2ut3YA:10 a=1IxSaLXxkGYA:10 | |
| a=pFWwjSa0iIoA:10 a=WDHEmAT1HsQJqKshFdZ4:22 a=sRI3_1zDfAgwuvI8zelB:22 | |
| a=4mgyOzJUegitewK6Gv8e:22 | |
| Message-ID: | <846d44e8-6b8d-456e-aab2-86d81eb1d323@SystematicSw.ab.ca> |
| Date: | Sun, 7 Nov 2021 22:04:40 -0700 |
| MIME-Version: | 1.0 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 |
| Thunderbird/91.3.0 | |
| Subject: | Re: Problem with OpenSSH |
| To: | cygwin AT cygwin DOT com |
| References: | <004701d7d433$5f9415c0$1ebc4140$@nickpopoff.net> |
| From: | Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca> |
| Organization: | Systematic Software |
| In-Reply-To: | <004701d7d433$5f9415c0$1ebc4140$@nickpopoff.net> |
| X-CMAE-Envelope: | MS4xfMcLdn1rmAjOPhEs1SPaGu6GW+GijnL54okHqlcbG+C2DRVB7CtJvBwFMofbu17cUKGqPs/4xlULZFJEhhFoQNFw3GwdBy2GqFt6qZnRj7tZLE8WFxbL |
| OL1q+hMOySimQ2yMTIk9kQWKIweMWt4LCqCmdePozmDevprJaiqyb6aPjRGT5Ny2zuP4wccW+sgk5+qBWqkpPatELSPW3ZVRZq+k1e2hZuW8/uDL0CU3LSeO | |
| X-Spam-Status: | No, score=-1165.8 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, |
| KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, | |
| RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, | |
| SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.4 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.4 (2020-01-24) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Reply-To: | cygwin AT cygwin DOT com |
| Errors-To: | cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
On 2021-11-07 16:58, Nick Popoff wrote:
> Now I Am having severe problem with 'ssh'. A simple login command like:
> Ssh nick AT DOT DOT DOT DOT com <mailto:nick AT DOT DOT DOT DOT com>
> Results in the following response:
> C:/cygwin64/home/Nick> ssh host.com
> Unable to negotiate with <IP> port 22: no matching key exchange method
> found. Their offer:
> gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,
> diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> This is a fresh install of Cygwin on a clean Windows 11. I went back to 3.2
> for now as I cannot work with 3.3.1. > In other words, the 3.3.1 ssh.exe does not accept legacy kex
> algorithms at all, no matter what. I no longer can log in to
> Solaris. For example, it DOES NOT accept the following: > ssh.exe -o KexAlgorithms=+diffie-hellman-group14-sha1 nick AT host DOT com>
Unable to negotiate with 50.248.140.9 port 22: no matching host key
> type found. Their offer: ssh-rsa,ssh-dss > Version 3.2 had no problem with legacy algorithms. Can somebody
explain as
> to what is going on here. Is it a bug? Or a deliberate break of
> compatibility?
Cygwin release has little to do with the independent package releases,
in your case openssh which contains the ssh utilities.
Which platform and releases of SSH and SSL are you running in your PATH:
$ which -a ssh
/usr/bin/ssh
/cygdrive/c/WINDOWS/System32/OpenSSH/ssh
$ ssh -V # You may well be running Cygwin OpenSSL 1.1.1l
OpenSSH_8.8p1, OpenSSL 1.1.1k 25 Mar 2021
$ /cygdrive/c/WINDOWS/System32/OpenSSH/ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
If you are running Cygwin OpenSSH 8.2 or later, the announcement last
year warns that all certain algorithms are now disabled by default, and
how they may be re-enabled until other systems get upgraded:
https://cygwin.com/pipermail/cygwin-announce/2020-February/009407.html
"openssh 8.2p1-1
...
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
CASignatureAlgorithms list.
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
from the default key exchange proposal for both the client and
server.
* ssh-keygen(1): the command-line options related to the generation
and screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have
changed. Most options have been folded under the -O flag.
..."
The more recent OpenSSH 8.8 announcement disables RSA signatures using
SHA1 algorithms but has an example showing how you may re-enable
deprecated algorithms for specific hosts:
https://cygwin.com/pipermail/cygwin-announce/2021-October/010257.html
"openssh 8.8p1-1
...
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K
...
~/.ssh/config
...
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
..."
so for your legacy host you may also wish to add entries like:
Host solaris-host.com
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
KexAlgorithms +diffie-hellman-group14-sha1
Each OpenSSH announcement also includes the section:
"...
Future deprecation notice
=========================
..."
which should be read by everyone using ssh for any purpose.
Of note is that scp will be upgraded to use SFTP in future instead of
the legacy protocol.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |