Darren Tucker <dtucker@xxxxxxxxxx> writes: > On Tue, Nov 8, 2016 at 3:30 PM, Harry Putnam <reader@xxxxxxxxxxx> wrote: > [...] >> After having 7.3p1 & 6.8p1 fail with same wording... I tried 6.7p1 and >> find it fails with what looks like the same problem but has slightly >> different wording. > > I set up the same versions (server:OpenSSH_6.6p1, OpenSSL 1.0.1s 1 > Mar 2016, client: OpenSSH_7.3p1, OpenSSL 1.0.1s 1 Mar 2016) on Linux > to try to reproduce it but failed. > > ./ssh -p 2022 -vvv -o ciphers=chacha20-poly1305@xxxxxxxxxxx -o > kexalgorithms=diffie-hellman-group-exchange-sha256 localhost > [...] > debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 > debug1: kex: host key algorithm: ssh-ed25519 > debug1: kex: server->client cipher: chacha20-poly1305@xxxxxxxxxxx MAC: > <implicit> compression: none > debug1: kex: client->server cipher: chacha20-poly1305@xxxxxxxxxxx MAC: > <implicit> compression: none >From another post Darren Tucker wrote: > > That's because the 6.4 client doesn't do the problematic > > ssh-ed25519 host key algorithm. You'll probably see the same > > thing with the newer clients if you set HostKeyAlgorithms in the > > client's ssh_config like I suggested in my first reply (or > > remove/rename the ed25519 host key file on the server, I think > > that version is before you could set HostKeyAlgorithms). I'm sorry if by not doing that I tied you up in this thread but I did not understand how that would be done. > Can you tell me more about the server? You said it's Solaris, but is > it SPARC or x86? What OpenSSL version is it? x86 uname -a SunOS 2x 5.11 oi_151a9 i86pc i386 i86pc It is an off shoot of Oracle Solaris named openindiana. Running OpenSSH_6.6, OpenSSL 1.0.1u 22 Sep 2016. Provided from the OpenCSW project that builds some solaris pkgs. The last line of sshd_config must be the killer: `kexAlgorithms diffie-hellman-group-exchange-sha1' # grep -v '^#\|^$' /etc/ssh/sshd_config Protocol 2 Port 22 ListenAddress :: GatewayPorts no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes PrintMotd no KeepAlive yes SyslogFacility auth LogLevel info HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 KeyRegenerationInterval 3600 StrictModes yes LoginGraceTime 600 MaxAuthTries 6 MaxAuthTriesLog 3 PermitEmptyPasswords no PasswordAuthentication yes PermitRootLogin yes Subsystem sftp internal-sftp IgnoreRhosts yes RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes kexAlgorithms diffie-hellman-group-exchange-sha1 ------- ------- ---=--- ------- ------- Now having reinstalled ssh-7.3p1-r7 with gentoo's build patches and with the: `kexAlgorithms diffie-hellman-group-exchange-sha1' Line removed It all works. Does seem odd that several other ssh 6.6p1 on the lan had no trouble connecting to 2x even with the kexAlgorithms line in its config. Sorry about the line noise . . . gv harry > ssh -vv 2x OpenSSH_7.3p1-hpn14v11, OpenSSL 1.0.2j 26 Sep 2016 [...] debug1: Next authentication method: publickey debug1: Trying private key: /home/harry/.ssh/id_rsa debug1: Trying private key: /home/harry/.ssh/id_dsa debug1: Trying private key: /home/harry/.ssh/id_ed25519 debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev