similar to: [Bug 3184] New: Unable to add deprecated KexAlgorithms back for host via config file

Il giorno gio 22 nov 2018 alle ore 21:24 Stuart Henderson <stu at spacehopper.org> ha scritto: > > On 2018/11/22 19:55, owl700 at gmail.com wrote: > > Hi, I have compatibility issues with the latest version of > > openssh-server and an old dropbear client, the dopbear client stops at > > preauth > > > > ov 22 14:34:03 myhostname sshd[3905]: debug1: Client

> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting? weakdh.org/sysadmin.html recommends adding: KexAlgorithms curve25519-sha256 at libssh.org But this thread makes it sound as if it's not necessary. Can anyone confirm? Personally I'm on openssh-6.7. - Grant > You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be

Hi Kaushal, I maintain a set of SSH hardening guides for various platforms, including RHEL 8. You can find them here: https://ssh-audit.com/hardening_guides.html - Joe -- Joseph S. Testa II Founder & Principal Security Consultant Positron Security On Thu, 2024-01-25 at 18:39 +0530, Kaushal Shriyan wrote: > Hi, > > I am running the below servers on Red Hat Enterprise

Hi, I am running the below servers on Red Hat Enterprise Linux release 8.7 (Ootpa). The details are as follows. # rpm -qa | grep openssh openssh-8.0p1-16.el8.x86_64 openssh-askpass-8.0p1-16.el8.x86_64 openssh-server-8.0p1-16.el8.x86_64 openssh-clients-8.0p1-16.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 (Ootpa) # How do I enable strong KexAlgorithms, Ciphers and

Hi all, this is a patch to make Ciphers, MACs and KexAlgorithms available in Match blocks. Now I can reach a -current machine with some Android terminal app without changing the default ciphers for all clients: Match Address 192.168.1.2 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha1 Index: servconf.c

Darren Tucker <dtucker at zip.com.au> writes: > On Tue, Nov 8, 2016 at 3:30 PM, Harry Putnam <reader at newsguy.com> wrote: > [...] >> After having 7.3p1 & 6.8p1 fail with same wording... I tried 6.7p1 and >> find it fails with what looks like the same problem but has slightly >> different wording. > > I set up the same versions (server:OpenSSH_6.6p1,

Hi, You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be that 1024-bit DH primes might well be too weak. I'm wondering what (if anything!) you propose to do about this issue, and what Debian might do for our users? openssh already prefers ECDH, which must reduce the impact somewhat, although the main Windows client (PuTTY) doesn't support ECDH yet. But

Darren Tucker <dtucker at zip.com.au> writes: > On Tue, Nov 8, 2016 at 2:43 PM, Harry Putnam <reader at newsguy.com> wrote: >> Darren Tucker <dtucker at zip.com.au> writes: >> >>> On Tue, Nov 8, 2016 at 1:02 PM, Harry Putnam <reader at newsguy.com> wrote: >>> [...] >>>> gv harry> ssh -vv 2x >>>> >>>>

Trying to connect to a Dell iDRAC 6. The iDRAC reports it is running OpenSSH 5.2. From Fedora Linux 20 with OpenSSH 6.4p1, connections succeed. From Fedora Linux 23 with OpenSSH 7.2p2, connections succeed. From Fedora Linux 27 with OpenSSH 7.6p1, connections fail prior to prompting for a password. The message is, "Received disconnect from (IP address) port 22:11: Logged out." Trying

Hi, I have compatibility issues with the latest version of openssh-server and an old dropbear client, the dopbear client stops at preauth ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version 2.0; client software version dropbear_0.46 Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46 Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string

On 25.01.24 14:09, Kaushal Shriyan wrote: > I am running the below servers on Red Hat Enterprise Linux release 8.7 > How do I enable strong KexAlgorithms, Ciphers and MACs On RHEL 8, you need to be aware that there are "crypto policies" modifying sshd's behaviour, and it would likely be the *preferred* method to inject your intended config changes *there* (unless they

After upgrading a Linux system from OpenSSH 6.7 to 6.9, Cisco switches/routers can no longer scp config files to/from the system. The last debug entry before the Cisco device closes the connection is "debug1: server_input_channel_open: confirm session". The next line is "Connection closed by x.x.x.x". Anyone else seen this or know of a fix? The Cisco device gives

I'm not sure if collision resistance is required for DH key derivation, but generally, SHA-1 is on its way out. If it's possible (if there's not a very large percentage of servers that do not support anything newer), it should be disabled.

https://bugzilla.mindrot.org/show_bug.cgi?id=2209 Bug ID: 2209 Summary: Problem logging into Cisco devices under 6.5p1 (kexgexc.c) Product: Portable OpenSSH Version: 6.5p1 Hardware: amd64 OS: FreeBSD Status: NEW Severity: normal Priority: P5 Component: ssh

On 09/20/2015 03:25 AM, Darren Tucker wrote: > I suspect a path mtu problem. The key exchange packet is one of the > first large ones in an SSH connection so it tends to show up such problems. > > Seehttp://www.snailbook.com/faq/mtu-mismatch.auto.html > <http://www.snailbook.com/faq/mtu-mismatch.auto.html> Has this been changed? SSH used to work fine on my old machine. My

https://bugzilla.samba.org/show_bug.cgi?id=11378 Bug ID: 11378 Summary: Please add a '--line-buffered' option to rsync to make logging/output more friendly with pipes/syslog/CI systems/etc. Product: rsync Version: 3.1.1 Hardware: All OS: All Status: NEW

https://bugzilla.mindrot.org/show_bug.cgi?id=2333 Bug ID: 2333 Summary: forbid old Ciphers, KexAlgorithms and MACs by default Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee:

> Portable OpenSSH is also available via [...] Github: https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: > > $ ./configure && make tests I was going to try this on Kali Linux (latest version), but ran into trouble right away. No "configure" script exists

I do not often use X11 - but when I do I prefer to enable X11forwarding, and when finished - turn it off. This is preferable, imho, to having "clear" X11 processing when local - and otherwise impossible when working remote. Working with openssh-7.5p2 I cannot figure out what (extra) I need to do with sshd_config to get it working. I know that there is a security-fix starting with

https://bugzilla.mindrot.org/show_bug.cgi?id=2725 Bug ID: 2725 Summary: can't login Product: Portable OpenSSH Version: 7.4p1 Hardware: 68k OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: