Re: Honey, I broke public-key logins

To: Jun Ebihara <jun%soum.co.jp@localhost>
Subject: Re: Honey, I broke public-key logins
From: Chavdar Ivanov <ci4ic4%gmail.com@localhost>
Date: Mon, 1 Nov 2021 14:35:56 +0000

On Mon, 1 Nov 2021 at 09:01, Jun Ebihara <jun%soum.co.jp@localhost> wrote:
>
> From: Bob Bernstein <poobah%ruptured-duck.com@localhost>
> Subject: Honey, I broke public-key logins
> Date: Sun, 31 Oct 2021 18:21:52 -0400 (EDT)
>
> > I never really was one to look before I leap, and a recent 'sysbuild'
> > and 'sysupgrade' to 9.99.92 produced the effect noted above in
> > Subject:. (The reference is to the film "Honey I shrunk the kids.")
>
> https://www.openssh.com/txt/release-8.8
>
> "Incompatibility is more likely when connecting to older SSH
> implementations that have not been upgraded or have not closely tracked
> improvements in the SSH protocol. For these cases, it may be necessary
> to selectively re-enable RSA/SHA1 to allow connection and/or user
> authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
> options. For example, the following stanza in ~/.ssh/config will enable
> RSA/SHA1 for host and user authentication for a single destination host:
>
>     Host old-host
>         HostkeyAlgorithms +ssh-rsa
>         PubkeyAcceptedAlgorithms +ssh-rsa
> "
>
> --
> Jun Ebihara

That didn't work for me when trying to ssh from a -current NetBSD
system to a Solaris10U11 host. I get:

$ ssh 192.168.0.51
Unable to negotiate with 192.168.0.51 port 22: no matching key
exchange method found. Their offer:
gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
...

On the other hand, on the NetBSD system, 'ssh -Q HostKeyAlgorithms'
(and PubkeyAcceptedAlgorithms) show:
...
ssh-ed25519
ssh-ed25519-cert-v01%openssh.com@localhost
sk-ssh-ed25519%openssh.com@localhost
sk-ssh-ed25519-cert-v01%openssh.com@localhost
ssh-xmss%openssh.com@localhost
ssh-xmss-cert-v01%openssh.com@localhost
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256%openssh.com@localhost
webauthn-sk-ecdsa-sha2-nistp256%openssh.com@localhost
ssh-rsa-cert-v01%openssh.com@localhost
rsa-sha2-256-cert-v01%openssh.com@localhost
rsa-sha2-512-cert-v01%openssh.com@localhost
ssh-dss-cert-v01%openssh.com@localhost
ecdsa-sha2-nistp256-cert-v01%openssh.com@localhost
ecdsa-sha2-nistp384-cert-v01%openssh.com@localhost
ecdsa-sha2-nistp521-cert-v01%openssh.com@localhost
sk-ecdsa-sha2-nistp256-cert-v01%openssh.com@localhost
...

I don't see anything common here; I couldn't find anything relevant in
/etc/ssh/sshd_config on the Solaris 10 system, which is running Sun
ssh v1.1.5.

I can connect to the Solaris system using putty on a W11 host; the
native ssh W11 client seems to work as well.

Chavdar

-- 
----

Follow-Ups:
- Re: Honey, I broke public-key logins
  - From: Bob Bernstein
- Re: Honey, I broke public-key logins
  - From: Joerg Sonnenberger

References:
- Honey, I broke public-key logins
  - From: Bob Bernstein
- Re: Honey, I broke public-key logins
  - From: Jun Ebihara

Prev by Date: Re: Honey, I broke public-key logins
Next by Date: Re: Honey, I broke public-key logins
Previous by Thread: Re: Honey, I broke public-key logins
Next by Thread: Re: Honey, I broke public-key logins
Indexes:

Home | Main Index | Thread Index | Old Index