What I need to SSH to old hosts on Fedora 37 (and probably later)

August 17, 2023

Suppose, not entirely hypothetically, that you have an old embedded device that's accessible over SSH (as well as other methods) and you want to SSH into its console to see if you can get more information than it exposes in its web interface. You've done this before, but not for a while, and now when you try it on your Fedora 37 desktop:

; ssh root@dsl-modem
Unable to negotiate with dsl-modem port 22: no matching host key type found. Their offer: ssh-rsa

This is OpenSSH's deprecation of the SHA1-based 'ssh-rsa' signature scheme in action. This particular device is so old that it only supports ssh-rsa (and some obsolete key exchange algorithms and ciphers, which I had already had to re-enable earlier).

So I stuck 'HostKeyAlgorithms +ssh-rsa' in my .ssh/config stanza for this host and tried again, only to get the same error. It turns out that this was incomplete and I also needed to add 'PubkeyAcceptedAlgorithms +ssh-rsa' (despite not doing user public key authentication with this host). At this point I got another error:

; ssh root@dsl-modem
Bad server host key: Invalid key length

This is because Fedora raise the minimum RSA key size to 2048 bits, and this old device also has an old, smaller key (probably 1024 bits, I haven't checked exactly). To set this, you need 'RSAMinSize 1024'.

So, for this particular old device, I need all of the following in my .ssh/config stanza for it:

KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
RSAMinSize 1024
Ciphers +3des-cbc

I've listed these options in the order that I would discover that I needed them if I was starting from scratch. First I'd need a key exchange algorithm that both sides supported, then I would need support for ssh-rsa keys, and finally I'd need a cipher that both sides supported. The only mysterious one is the ssh-rsa case, where I don't know why I need two configuration settings to enable this.

(This is the kind of entry I write because I never want to have to work this out again, and maybe if it happens with a different key type I'll remember that I needed to fiddle two options, not just the obvious one.)

Written on 17 August 2023.
« A pointless review of my (current) favorite mouse, the Contour optical mouse
Contributor License Agreements (CLAs) impede modest contributions »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Aug 17 22:20:18 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.