OpenSSH 7.x and old SSH Secure Shell client
Posted: Wed Jan 18, 2017 6:15 pm
After upgrading the VMWare vSphere ESXi host from 5.5 update 4 to 6.0 update 2, the openssh version upgraded from 5.6p1 to 7.1p1.
The old SSH Secure Shell client (3.2.9) could not log in after the upgrade.
vSphere ESXi 6.0's log (/scratch/log/auth.log) shows the following error:
After searching online for a little while, it was the default configuration from OpenSSH 7.x that disables no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 as the key exchange method by default. Even though it still supports it:
FYI, the "ssh -Q xxxxx" is the new command in OpenSSH 7.x.
The solution for this is to add the following line in sshd_config (/etc/ssh/sshd_config) on vSphere ESXi host:
NOTICE: Just add "diffie-hellman-group1-sha1" or sshd won't start. It will complain there are garbage codes after "diffie-hellman-group1-sha1".
After adding the above line, there's no need to restart sshd. It seems to pick up automatically.
The old SSH Secure Shell client (3.2.9) could not log in after the upgrade.
vSphere ESXi 6.0's log (/scratch/log/auth.log) shows the following error:
Code: Select all
2017-01-17T22:21:33Z sshd[42475]: Connection from 10.125.81.24 port 55801
2017-01-17T22:21:33Z sshd[42475]: fatal: Unable to negotiate with 10.125.81.24: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Code: Select all
[root@laxv1bvse50c:~] ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256@libssh.org
Code: Select all
[root@laxv1bvse50c:~] ssh -Q key
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
[root@laxv1bvse50c:~] ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
[root@laxv1bvse50c:~] ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
Code: Select all
# KexAlgorithms
KexAlgorithms diffie-hellman-group1-sha1
After adding the above line, there's no need to restart sshd. It seems to pick up automatically.