Legacy ssh possible?

I want to flash a wifi AP with openwrt. Unfortunately, the process isn’t straightforward and requires ssh access to the AP. The implementation is done with dropbear ssh supporting only old, legacy, insecure ssh methods.

Fedora doesn’t support the ssh methods anymore.

What I did so far to overcome this.

  1. on the AP, I created a key:
/usr/local/sbin/dropbearkey -t rsa -f /tmp/dropbear_rsa_host_key2 -s 2048
  1. killed the dropbear process
  2. restarted the ssh server using the new key:
/usr/local/sbin/dropbear -p 22 -r /tmp/dropbear_rsa_host_key2 -d /tmp/dropbear_dss_host_key -L 

After, I tried the following to connect:

ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa -o HostKeyAlgorithms=ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@10.7.8.21 

Result: ssh_dispatch_run_fatal: Connection to 10.7.8.21 port 22: error in libcrypto .

verbose output
OpenSSH_9.9p1, OpenSSL 3.2.2 4 Jun 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: Reading configuration data /etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: Reading configuration data /etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 10.7.8.21 [10.7.8.21] port 22.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_9.9
debug1: Remote protocol version 2.0, remote software version dropbear_2012.55
debug1: compat_banner: no match: dropbear_2012.55
debug1: Authenticating to 10.7.8.21:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group1-sha1 need=32 dh_need=32
debug1: kex: diffie-hellman-group1-sha1 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:GcOpVjQaaHZ+IMHVroQKQJ+r4rwr424yfQdYMf06yVE
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.7.8.21' is known and matches the RSA host key.
debug1: Found key in known_hosts:55
ssh_dispatch_run_fatal: Connection to 10.7.8.21 port 22: error in libcrypto

Does anyone have ideas how to easily solve this?
Do I have to permit the weak crypto policy system-wide for my client to connect?

update-crypto-policies --set LEGACY
1 Like