There is a connection problem while connecting from Rocky Linux 9.3 (OpenSSH_8.7p1, OpenSSL 3.0.7) to Oracle Linux Server release 6.10 (OpenSSH_5.3p1, OpenSSL 1.0.1e-fip) via ssh.
ssh -v user@x.x.x.x
returns
Unable to negotiate with x.x.x.x port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
I’ve tried to create .ssh/config file like below;
Host x.x.x.x
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
but this time the error was;
ssh_dispatch_run_fatal: Connection to x.x.x.x port 22: error in libcrypto
You need to change the ‘crypto policy’ used by the Rocky 9 system - by default el9 uses the ‘DEFAULT’ policy
To allow it to connect over ssh to an el6 host (or allow an el6 host to ssh to an el9 host), you need to set the policy to ‘LEGACY’ via:
update-crypto-policies --set LEGACY
The crypto policies are pulled in to ssh via /etc/crypto-policies/back-ends/openssh.config (via /etc/ssh/ssh_config.d/50-redhat.conf)
Note: changing the crypto-policy to LEGACY will potentially change the setting for other apps/services - so you might want to come up with your own policy (or overrides) that just changes the crypto settings for ssh/sshd - don’t change the file /etc/crypto-policies/back-ends/openssh.config directly
i.e. see the update-crypto-policies man page and the docs at:
Both solutions are working.
(update-crypto-policies --set LEGACY
and
update-crypto-policies --set DEFAULT:SHA1
But, as written in documents, they need reboot and this change affects system-wide. I couldn’t guess the whole affect.
I think, --set DEFAULT:SHA1 is better for security reasons.