Re: New openssh in Rawhide can't connect to RHEL 6 servers
On Sun, Dec 05, 2021 at 08:22:19PM -0500, Nico Kadel-Garcia wrote: > On Sun, Dec 5, 2021 at 8:15 AM Richard W.M. Jones wrote: > > > > openssh 8.8p1 (just released in Rawhide) cannot connect to older > > servers. The error is: > > > > Unable to negotiate with [server] port 22: no matching host key type > > found. Their offer: ssh-rsa,ssh-dss > > > > It seems like the cut-off point is RHEL <= 6 broken, RHEL >= 7 is OK. > > RHEL 6 is obsolete for more than the last year: retaining > compatibility with obsolete distributions of an operating system is > work that likely no one is pursuing. I used to do that sort of thing, > but no one is paying me for it right now. That sort of thing used to > be available at repoforge, but that repo stopped getting updates some > time ago. RHEL 6 is still under ELS until 30 June 2024. There's also old equipment with ssh servers that cannot be upgraded. Anyway my main concern was the it was hard to find information about this error or how to fix it, so I'm documenting that. Rich. > > I eventually found a workaround/solution to this deep in an Arch > > thread: > > > > https://bbs.archlinux.org/viewtopic.php?pid=2006291#p2006291 > > > > or the equivalent on the command line: > > > > ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa > > rhel6 > > So. you can set it up in ~/.ssh/config for specific remote hosts as > needed? > > > Both config options seem to be necessary. > > > > Rich. > > > > > > -- > > Richard Jones, Virtualization Group, Red Hat > > http://people.redhat.com/~rjones > > Read my programming and virtualization blog: http://rwmj.wordpress.com > > virt-builder quickly builds VMs from scratch > > http://libguestfs.org/virt-builder.1.html > > ___ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: New openssh in Rawhide can't connect to RHEL 6 servers
On Sun, Dec 05, 2021 at 07:23:50PM -0800, Gordon Messmer wrote: > On 12/5/21 05:15, Richard W.M. Jones wrote: > >openssh 8.8p1 (just released in Rawhide) cannot connect to older > >servers. > ... > >or the equivalent on the command line: > > ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa > > rhel6 > > > That's also documented in the release notes for 8.8, under > "Potentially-incompatible changes": > > https://www.openssh.com/txt/release-8.8 > > Though I'm surprised that's new; I'd have thought it would have > stopped working in Fedora 33 with > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 > > The change proposal says that Fedora disabled SHA-1 hashes, which > seems like the same change that's documented in OpenSSH 8.8. Had > this host opted out of the Fedora strong crypto policy? "host" == client? No: $ update-crypto-policies --show DEFAULT Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: New openssh in Rawhide can't connect to RHEL 6 servers
On 12/5/21 05:15, Richard W.M. Jones wrote: openssh 8.8p1 (just released in Rawhide) cannot connect to older servers. ... or the equivalent on the command line: ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa rhel6 That's also documented in the release notes for 8.8, under "Potentially-incompatible changes": https://www.openssh.com/txt/release-8.8 Though I'm surprised that's new; I'd have thought it would have stopped working in Fedora 33 with https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 The change proposal says that Fedora disabled SHA-1 hashes, which seems like the same change that's documented in OpenSSH 8.8. Had this host opted out of the Fedora strong crypto policy? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: New openssh in Rawhide can't connect to RHEL 6 servers
On 12/5/21, Richard W.M. Jones wrote: openssh 8.8p1 (just released in Rawhide) cannot connect to older servers. The error is: Unable to negotiate with [server] port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss It seems like the cut-off point is RHEL <= 6 broken, RHEL >= 7 is OK. I eventually found a workaround/solution to this deep in an Arch thread: https://bbs.archlinux.org/viewtopic.php?pid=2006291#p2006291 or the equivalent on the command line: ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa rhel6 Both config options seem to be necessary. Thank you for concisely documenting the problem and workaround. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: New openssh in Rawhide can't connect to RHEL 6 servers
On Sun, Dec 5, 2021 at 8:15 AM Richard W.M. Jones wrote: > > openssh 8.8p1 (just released in Rawhide) cannot connect to older > servers. The error is: > > Unable to negotiate with [server] port 22: no matching host key type found. > Their offer: ssh-rsa,ssh-dss > > It seems like the cut-off point is RHEL <= 6 broken, RHEL >= 7 is OK. RHEL 6 is obsolete for more than the last year: retaining compatibility with obsolete distributions of an operating system is work that likely no one is pursuing. I used to do that sort of thing, but no one is paying me for it right now. That sort of thing used to be available at repoforge, but that repo stopped getting updates some time ago. > I eventually found a workaround/solution to this deep in an Arch > thread: > > https://bbs.archlinux.org/viewtopic.php?pid=2006291#p2006291 > > or the equivalent on the command line: > > ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa rhel6 So. you can set it up in ~/.ssh/config for specific remote hosts as needed? > Both config options seem to be necessary. > > Rich. > > > -- > Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones > Read my programming and virtualization blog: http://rwmj.wordpress.com > virt-builder quickly builds VMs from scratch > http://libguestfs.org/virt-builder.1.html > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure