All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Old SSH client and Debian 11
I'm using a pretty old windows app which has a built in SSH client and will only work with diffie-hellman-group1-sha1 key exchange. I do need to use it still and up until Debian 10, I've been able to keep it working by adding to sshd_config:
KexAlgorithms diffie-hellman-group1-sha1
Ciphers 3des-cbc,aes128-cbc
However, doing this in Debian 11 causes the app/client to throw a "BigInteger overflow" error when connecting. Unfortunately the app is packed as such that it's not possible for me to upgrade the ssh client or add arguments to it, so I need to find a way to get this working server side.
I'm guessing something has changed in debian 11 openssh version that means ancient ssh encryption/ciphers work differently or maybe not at all. Maybe theres a sshd_config entry that can get this working.
So, if anyone else has had this issue or has an idea how to get it working, I'd appreciate it.
Thanks.
Comments
if you really must stick that old stuff for whatever reason, maybe get a jump host in between. connect there and go to you final destnation from it. allows for additional IP whitelisting on the clients and stuff...
Do you need to or do you just don't want to switch?
I might be wrong but on Bullseye, if I were to specify the
KexAlgorithms diffie-hellman-group1-sha1
andCiphers 3des-cbc,aes128-cbc
on server sidesshd_config
, and then force my client to connect using those, it seems to work.But if you have issues as you mentioned and you can't do much from the client/app (since it's packed) then I don't think there are many options available other than to go via a jump host to reach your destination server, as mentioned by @Falzo.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
try with the # removed in /etc/ssh/ssh_config
I would suggest running check of cipher/mac/key/kex on old-working server and the new one and comparing results - what has changed and what else you need to force in config. Could be newer/bigger mac?
I believe that's for the client and what it supports, not the server.
For the server, you can refer to
sshd -T
.i was going to dismiss this as the IDE I use is old and development stopped, but I like how it works and I'm a kinda if it aint broke dont fix it kinda guy.
I need to live edit files and till now, I'd not found a good alternative. But I decided to look at vscode again and found they have significantly improved the remote file editing/folder browsing ability, so much so I've decided to switch. it's still a little clunky but I think i can cope with it.
So thanks, problem solved, kinda!
yeah, the client only supports the cbc ciphers as mentioned above, also blowfish but that's not available at all in deb 11