What I need to SSH to old hosts on Fedora 37 (and probably later)
Suppose, not entirely hypothetically, that you have an old embedded device that's accessible over SSH (as well as other methods) and you want to SSH into its console to see if you can get more information than it exposes in its web interface. You've done this before, but not for a while, and now when you try it on your Fedora 37 desktop:
; ssh root@dsl-modem Unable to negotiate with dsl-modem port 22: no matching host key type found. Their offer: ssh-rsa
This is OpenSSH's deprecation of the SHA1-based 'ssh-rsa' signature scheme in action. This particular device is so old that it only supports ssh-rsa (and some obsolete key exchange algorithms and ciphers, which I had already had to re-enable earlier).
So I stuck 'HostKeyAlgorithms +ssh-rsa
' in my .ssh/config stanza
for this host and tried again, only to get the same error. It turns
out that this was incomplete and I also needed to add
'PubkeyAcceptedAlgorithms +ssh-rsa
' (despite not doing user public
key authentication with this host). At this point I got another
error:
; ssh root@dsl-modem Bad server host key: Invalid key length
This is because Fedora raise the minimum RSA key size to 2048 bits,
and this old device also has an old, smaller key (probably 1024
bits, I haven't checked exactly). To set this, you need 'RSAMinSize
1024
'.
So, for this particular old device, I need all of the following in my .ssh/config stanza for it:
KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa RSAMinSize 1024 Ciphers +3des-cbc
I've listed these options in the order that I would discover that I needed them if I was starting from scratch. First I'd need a key exchange algorithm that both sides supported, then I would need support for ssh-rsa keys, and finally I'd need a cipher that both sides supported. The only mysterious one is the ssh-rsa case, where I don't know why I need two configuration settings to enable this.
(This is the kind of entry I write because I never want to have to work this out again, and maybe if it happens with a different key type I'll remember that I needed to fiddle two options, not just the obvious one.)
|
|