Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Old SSH client and Debian 11
New on LowEndTalk? Please Register and read our Community Rules.

Old SSH client and Debian 11

Adam1Adam1 Member

I'm using a pretty old windows app which has a built in SSH client and will only work with diffie-hellman-group1-sha1 key exchange. I do need to use it still and up until Debian 10, I've been able to keep it working by adding to sshd_config:

KexAlgorithms diffie-hellman-group1-sha1
Ciphers 3des-cbc,aes128-cbc

However, doing this in Debian 11 causes the app/client to throw a "BigInteger overflow" error when connecting. Unfortunately the app is packed as such that it's not possible for me to upgrade the ssh client or add arguments to it, so I need to find a way to get this working server side.

I'm guessing something has changed in debian 11 openssh version that means ancient ssh encryption/ciphers work differently or maybe not at all. Maybe theres a sshd_config entry that can get this working.

So, if anyone else has had this issue or has an idea how to get it working, I'd appreciate it.
Thanks.

Thanked by 1devp

Comments

  • FalzoFalzo Member

    if you really must stick that old stuff for whatever reason, maybe get a jump host in between. connect there and go to you final destnation from it. allows for additional IP whitelisting on the clients and stuff...

    Thanked by 3HJyamis duckeeyuck devp
  • Do you need to or do you just don't want to switch?

    Thanked by 1yoursunny
  • DPDP Member, The Domain Guy
    edited January 4

    I might be wrong but on Bullseye, if I were to specify the KexAlgorithms diffie-hellman-group1-sha1 and Ciphers 3des-cbc,aes128-cbc on server side sshd_config, and then force my client to connect using those, it seems to work.

    debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
    debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5
    debug1: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to 192.168.0.55:2222 as 'dp'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: diffie-hellman-group1-sha1
    debug1: kex: host key algorithm: ssh-ed25519
    debug1: kex: server->client cipher: 3des-cbc MAC: [email protected] compression: [email protected]
    debug1: kex: client->server cipher: 3des-cbc MAC: [email protected] compression: [email protected]
    

    But if you have issues as you mentioned and you can't do much from the client/app (since it's packed) then I don't think there are many options available other than to go via a jump host to reach your destination server, as mentioned by @Falzo.

    Thanked by 2Adam1 devp
  • djndjn Member

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

    try with the # removed in /etc/ssh/ssh_config

    Thanked by 1duckeeyuck
  • JabJabJabJab Member
    edited January 4

    I would suggest running check of cipher/mac/key/kex on old-working server and the new one and comparing results - what has changed and what else you need to force in config. Could be newer/bigger mac?

    sshd -T
    
    Thanked by 1Adam1
  • DPDP Member, The Domain Guy

    @JabJab said:
    I would suggest running check of cipher/mac/key/kex on old-working server and the new one and comparing results - what has changed and what else you need to force in config.

    ssh -Q cipher       # List supported ciphers
    ssh -Q mac          # List supported MACs
    ssh -Q key          # List supported public key types
    ssh -Q kex          # List supported key exchange algorithms
    

    I believe that's for the client and what it supports, not the server.

    For the server, you can refer to sshd -T.

    [email protected]:~# sshd -T | grep 'kex\|cipher'
    gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
    ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
    kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    
    Thanked by 2bakageta Adam1
  • Adam1Adam1 Member

    @skorupion said: Do you need to or do you just don't want to switch?

    i was going to dismiss this as the IDE I use is old and development stopped, but I like how it works and I'm a kinda if it aint broke dont fix it kinda guy.

    I need to live edit files and till now, I'd not found a good alternative. But I decided to look at vscode again and found they have significantly improved the remote file editing/folder browsing ability, so much so I've decided to switch. it's still a little clunky but I think i can cope with it.

    So thanks, problem solved, kinda!

  • Adam1Adam1 Member

    @djn said: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    try with the # removed in /etc/ssh/ssh_config

    yeah, the client only supports the cbc ciphers as mentioned above, also blowfish but that's not available at all in deb 11

Sign In or Register to comment.