I have several old devices. Upgrading them is either impossible, they are unsupported, or I can’t be bothered upgrading the. Access is only via a dedicated VLAN within my home network.
When stuck, I posted to Twitter and that led me to OpenSSH Legacy Options. This page describes what to do when OpenSSH refuses to connect with an implementation that only supports legacy algorithms.
Here’s what I just tried:
$ ssh pdu1 Unable to negotiate with 10.52.0.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 pdu1 Unable to negotiate with 10.52.0.2 port 22: no matching cipher found. Their offer: 3des-cbc,blowfish-cbc $ ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1 ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length $ ssh-add -D All identities removed. $ ssh -a -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1 ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length $ ssh-add -l The agent has no identities.
Let’s try verbose:
$ ssh -vvvv -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1 OpenSSH_7.6p1, LibreSSL 2.6.2 debug1: Reading configuration data /Users/dan/.ssh/config debug1: /Users/dan/.ssh/config line 5: Applying options for * debug1: /Users/dan/.ssh/config line 168: Applying options for pdu1 debug3: kex names ok: [diffie-hellman-group1-sha1] debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 48: Applying options for * debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to pdu1.int.unixathome.org port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_ecdsa-cert type -1 debug1: identity file /Users/dan/.ssh/id_ed25519 type 3 debug1: key_load_public: No such file or directory debug1: identity file /Users/dan/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.6 debug1: Remote protocol version 2.0, remote software version cryptlib debug1: no match: cryptlib debug3: fd 5 is O_NONBLOCK debug1: Authenticating to pdu1.int.unixathome.org:22 as 'dvl' debug3: hostkeys_foreach: reading file "/Users/dan/.ssh/known_hosts" debug1: /Users/dan/.ssh/known_hosts:400: parse error in hostkeys file debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: 3des-cbc debug2: ciphers stoc: 3des-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: 3des-cbc,blowfish-cbc debug2: ciphers stoc: 3des-cbc,blowfish-cbc debug2: MACs ctos: hmac-sha1,hmac-md5 debug2: MACs stoc: hmac-sha1,hmac-md5 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group1-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 510/1024 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: receive packet: type 31 ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length
The above was from OSX 10.13.3 (17D47). Let’s try from FreeBSD.
FreeBSD
In this attempt, I had to specify the user on the connection. On my laptop, that was covered by my ~/.ssh/config file.
[dan@slocum:~] $ ssh -vvvv -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc dvl@pdu1 OpenSSH_7.2p2, OpenSSL 1.0.2k-freebsd 26 Jan 2017 debug1: Reading configuration data /usr/home/dan/.ssh/config debug3: kex names ok: [diffie-hellman-group1-sha1] debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 53: Deprecated option "useroaming" debug2: resolving "pdu1.int.unixathome.org" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to pdu1.int.unixathome.org [10.52.0.2] port 22. debug1: Connection established. debug1: identity file /usr/home/dan/.ssh/id_rsa type 1 debug1: Fssh_key_load_public: No such file or directory debug1: identity file /usr/home/dan/.ssh/id_rsa-cert type -1 debug1: Fssh_key_load_public: No such file or directory debug1: identity file /usr/home/dan/.ssh/id_dsa type -1 debug1: Fssh_key_load_public: No such file or directory debug1: identity file /usr/home/dan/.ssh/id_dsa-cert type -1 debug1: Fssh_key_load_public: No such file or directory debug1: identity file /usr/home/dan/.ssh/id_ecdsa type -1 debug1: Fssh_key_load_public: No such file or directory debug1: identity file /usr/home/dan/.ssh/id_ecdsa-cert type -1 debug1: Fssh_key_load_public: No such file or directory debug1: identity file /usr/home/dan/.ssh/id_ed25519 type -1 debug1: Fssh_key_load_public: No such file or directory debug1: identity file /usr/home/dan/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2 FreeBSD-20161230 debug1: Remote protocol version 2.0, remote software version cryptlib debug1: no match: cryptlib debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to pdu1.int.unixathome.org:22 as 'dvl' debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts" debug3: Fssh_record_hostkey: found key type RSA in file /usr/home/dan/.ssh/known_hosts:306 debug3: Fssh_load_hostkeys: loaded 1 keys from pdu1.int.unixathome.org debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts2" debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 debug2: ciphers ctos: 3des-cbc debug2: ciphers stoc: 3des-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: 3des-cbc,blowfish-cbc debug2: ciphers stoc: 3des-cbc,blowfish-cbc debug2: MACs ctos: hmac-sha1,hmac-md5 debug2: MACs stoc: hmac-sha1,hmac-md5 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group1-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 523/1024 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ssh-rsa SHA256:hPsoJNLzAZ+7LpBnPQFMcWEJtsovKc+uJm+0utUmyfw debug3: verify_host_key_dns DNS lookup error: general failure debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts" debug3: Fssh_record_hostkey: found key type RSA in file /usr/home/dan/.ssh/known_hosts:306 debug3: Fssh_load_hostkeys: loaded 1 keys from pdu1.int.unixathome.org debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts2" debug1: Host 'pdu1.int.unixathome.org' is known and matches the RSA host key. debug1: Found key in /usr/home/dan/.ssh/known_hosts:306 debug2: bits set: 529/1024 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS received debug2: key: /usr/home/dan/.ssh/id_rsa (0x80208e200) debug2: key: /usr/home/dan/.ssh/id_dsa (0x0) debug2: key: /usr/home/dan/.ssh/id_ecdsa (0x0) debug2: key: /usr/home/dan/.ssh/id_ed25519 (0x0) debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 Authenticated with partial success. debug2: key: /usr/home/dan/.ssh/id_rsa (0x0) debug2: key: /usr/home/dan/.ssh/id_dsa (0x0) debug2: key: /usr/home/dan/.ssh/id_ecdsa (0x0) debug2: key: /usr/home/dan/.ssh/id_ed25519 (0x0) debug1: Authentications that can continue: password debug3: start over, passed a different list password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup password debug3: remaining preferred: ,keyboard-interactive,password debug3: authmethod_is_enabled password debug1: Next authentication method: password dvl@pdu1.int.unixathome.org's password: 'debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 52 debug1: Authentication succeeded (password). Authenticated to pdu1.int.unixathome.org ([10.52.0.2]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug3: send packet: type 90 debug1: Entering interactive session. debug1: pledge: network debug3: receive packet: type 91 debug2: callback start debug2: fd 3 setting TCP_NODELAY debug3: Fssh_ssh_packet_set_tos: set IP_TOS 0x10 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug3: send packet: type 98 debug2: channel 0: request shell confirm 1 debug3: send packet: type 98 debug2: callback done debug2: channel 0: open confirm rwindow 8192 rmax 1024 debug3: receive packet: type 99 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug3: receive packet: type 99 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 American Power Conversion Network Management Card AOS v2.6.4 (c) Copyright 2004 All Rights Reserved Rack PDU APP v2.6.5 ------------------------------------------------------------------------------- Name : pdu1 Date : 01/30/2018 Contact : Dan Langille Time : 01:15:12 Location : rack01 bottom User : Administrator Up Time : 2 Days 8 Hours 10 Minutes Stat : P+ N+ A+ Switched Rack PDU: Communication Established ------- Control Console ------------------------------------------------------- 1- Device Manager 2- Network 3- System 4- Logout <ESC>- Main Menu, <ENTER>- Refresh, <CTRL-L>- Event Log >
SUCCESS!
Proxy host
As I type this, I’m tired and I don’t want to pursue this next idea. Proxy tunnels.
Have a read of this and let me know: Creating a transparent SSH tunnel through a bastion host.
I am sure that by using the above idea, I can ssh from my laptop through the bastion host, and get onto that PDU.
The rest is left as an exercise for the reader. Please post in the comments. Thank you.
Putting this into ~/.ssh/config on the bastion host:
gives a good result: