ssh no longer able to connect to older hosts

Fedora33 implements higher security standards, not only for server side, but even when it comes to client connections.

This includes more restrictive rules on accepted Ciphers, Kex (key exchange) algorithms, etc.

Unfortunately this leads to situation in which you can no longer connect to older hosts, like CentOS5, some switches, for example JunOS12.

If you start getting the similar SSH errors:


debug1: send_pubkey_test: no mutual signature algorithm
debug1: kex: algorithm: (no match)
Unable to negotiate with xx.xx.xx.xx port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 



What you can do is  slightly tune the openssh client requirements.
You can put this on your config. This exact config will cover all hosts which you connect to, but if you wish this only on specific machines, instead of the wildcard '*' put the name or the IP of your machines, separated by 'space'

In file: ~/.ssh/config

Add/Edit the following section

Host *
        KexAlgorithms +diffie-hellman-group1-sha1
        Ciphers +aes256-cbc
        PubkeyAcceptedKeyTypes +ssh-rsa
This will probably fix a lot of issues for you. 

No comments:

Post a Comment