Fedora 36’s OpenSSH 8.8p1 can’t connect to a server with a much older version

,

I am unable to connect to a server via ssh. It seems to be a versioning problem – two systems I have access to which run OpenSSH 7.4p1 (December 2016) can connect; my current Fedora 36, which runs Open SSH 8.8p1 (September 2021) won’t connect to the target system (which is at 6.6.1p1 from March 2014).

The error is:

sign_and_send_pubkey: no mutual signature supported
no-one@000.000.000.000: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 

The target system should be upgraded, of course, but I have no control over that.

Is there anything I can do other than downgrading OpenSSH (and dealing with the concomitant security issues)?

Thanks!
Fred

1 Like

I ran into this just today at work and we decided that the easiest way forward until stuff could be upgraded (some of which depends on vendors supplying an upgrade) was to run an older ssh client in a container in the meantime. For example, with podman or toolbox.

4 Likes

Can you run the command with -vvv to see what detailed information it gives so we know what the issue is? It could be that the server uses bits that the new client version does not, but it could also be OpenSSL related perhaps because F36 upgraded to OpenSSL 3.0 which also disabled some older bits by default I guess?

If it’s limited to ssh, one can usually update ~/.ssh/config to mention what algorithms are to be used for a particular host. For example, see man ssh_config and look for PubkeyAcceptedTypes and other related fields.

Here’s a post with an example:

I have access to some old server.
This is my working solution:

ssh -o HostKeyAlgorithms=ssh-rsa -o KexAlgorithms=diffie-hellman-group1-sha1 serveraddress

As wrote by @ankursinha you can put these options in the ~/.ssh/config file.

3 Likes

Thanks for your help, @vwbusguy, @FranciscoD, and @alciregi.

I first attempted to change command-line and config options, but I couldn’t produce the correct combination. Odd, because it seemed like such a logical approach … even when I precisely specified the various algorithms to match those that worked in earlier versions, I couldn’t log in.

So I went for @vwbusguy’s toolbox option, where I’m using OpenSSH 8.3p1, which is working just fine, even though it’s my first use of toolbox.

Fred

3 Likes