Quoting "Kash, Howard M CIV USARMY ARL (US)" <howard.m.kash.civ@xxxxxxxx>: > After upgrading a Linux system from OpenSSH 6.7 to 6.9, Cisco > switches/routers can no longer scp config files to/from the system. The > last debug entry before the Cisco device closes the connection is "debug1: > server_input_channel_open: confirm session". Many aging ciphers, hashes, and key exchanges are in the process of being retired. <1kbit Diffie Hellman moduli have been removed as well in 6.9, I believe. If the Ciscos rely on <1kbit DH moduli or SHA1/MD5 hash based proposals to work, that could be your problem. A comparison of the two versions' output from: (ssh -Q kex ; ssh -Q mac ; ssh -Q cipher) MAY help narrow it down, but I think you'll need to enable protocol debug logging on the server side and see which proposals that the Cisco is using that's no longer available in 6.9 (by default). You may just need to add two or three lines to 6.9's sshd_config file, i.e., KexAlgorithms/MACs/Ciphers. If it's a modulus size issue, you can use the moduli file from the 6.7 release in 6.9, though the small moduli have been removed for good reason. It's a good reminder for all of us to re-inventory key exchanges, macs, ciphers, for all of the core services that need suitable information security. I've been amazed at how much cruft has accumulated in OpenSSL, and how many downstream clients have inherited so much "bad" code for so long as a result. Building OpenSSH without OpenSSL at all would be great, except I'd kill ssh access for everyone but my development and system engineers. :/ (The dream of curve25519-sha256/chacha20-poly1305-for-all is still a pipe dream for many.) Happy hunting! =R= _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
