Brian Candler
2025-Jun-30 12:34 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On 30/06/2025 13:14, Jochen Bern wrote:> What I've seen getting *specifically* refused is my local ssh-agent > signing with the older (and shorter, 4kb) RSA keypair, but that > doesn't seem to explain *all* the now-failing connections, eitherThat's a 4096-bit RSA key pair? Can you show the error message? If it's not fixed by ? PubkeyAcceptedAlgorithms +ssh-rsa ? HostKeyAlgorithms +ssh-rsa then I don't know what the issue might be. The other settings I sometimes need to apply for very old network devices are ? KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 ? Ciphers +aes256-cbc,3des-cbc
Jochen Bern
2025-Jun-30 12:59 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On 30.06.25 14:34, Brian Candler wrote:> On 30/06/2025 13:14, Jochen Bern wrote: >> What I've seen getting *specifically* refused is my local ssh-agent >> signing with the older (and shorter, 4kb) RSA keypair, but that >> doesn't seem to explain *all* the now-failing connections, either > > That's a 4096-bit RSA key pair? Can you show the error message? > > If it's not fixed by > > ? PubkeyAcceptedAlgorithms +ssh-rsa > ? HostKeyAlgorithms +ssh-rsa > > then I don't know what the issue might be.... it seems that I have to take that statement back, sorry. There was (still is) a combo of error messages> Authenticating with public key "..." from agent > Pageant failed to provide a signaturewhen I run *puTTY* against the OpenSSH ssh-agent loaded with (only) the old RSA key, but temporarily changing a still-working target host to only accept that keypair and then logging in with the *same* ssh-agent and "ssh" works fine ... (And yes, puTTY can use the *newer* keypair straight out of OpenSSH's agent ... weird ... the privkey's file format should be fully irrelevant at that point, shouldn't it?)> $ file .ssh/id_binect_*rsa > .ssh/id_binect_newrsa: OpenSSH private key > .ssh/id_binect_rsa: PEM RSA private keyKind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4336 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250630/b853d6da/attachment-0001.p7s>