Ssh error while connecting another server which has old ssh version

There is a connection problem while connecting from Rocky Linux 9.3 (OpenSSH_8.7p1, OpenSSL 3.0.7) to Oracle Linux Server release 6.10 (OpenSSH_5.3p1, OpenSSL 1.0.1e-fip) via ssh.
ssh -v user@x.x.x.x
returns
Unable to negotiate with x.x.x.x port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
I’ve tried to create .ssh/config file like below;
Host x.x.x.x
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

but this time the error was;
ssh_dispatch_run_fatal: Connection to x.x.x.x port 22: error in libcrypto

How can I solve it?

Perhaps simply re-enabling SHA-1 would be enough? 3.9. Re-enabling SHA-1 Red Hat Enterprise Linux 9 | Red Hat Customer Portal


Does Oracle sell security support for that 6.10?

You need to change the ‘crypto policy’ used by the Rocky 9 system - by default el9 uses the ‘DEFAULT’ policy

To allow it to connect over ssh to an el6 host (or allow an el6 host to ssh to an el9 host), you need to set the policy to ‘LEGACY’ via:

update-crypto-policies --set LEGACY

The crypto policies are pulled in to ssh via /etc/crypto-policies/back-ends/openssh.config (via /etc/ssh/ssh_config.d/50-redhat.conf)

Note: changing the crypto-policy to LEGACY will potentially change the setting for other apps/services - so you might want to come up with your own policy (or overrides) that just changes the crypto settings for ssh/sshd - don’t change the file /etc/crypto-policies/back-ends/openssh.config directly

i.e. see the update-crypto-policies man page and the docs at:

I disagree. DEFAULT + SHA1 should be sufficient.

Both solutions are working.
(update-crypto-policies --set LEGACY
and
update-crypto-policies --set DEFAULT:SHA1

But, as written in documents, they need reboot and this change affects system-wide. I couldn’t guess the whole affect.
I think, --set DEFAULT:SHA1 is better for security reasons.

A reboot isn’t need for ssh - but if you want el6 to be able to ssh to el9, then just a sshd service restart should do

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.