| 1 |
Hi Philip, |
| 2 |
|
| 3 |
On Tuesday, 12 March 2019 10:02:07 GMT Philip Webb wrote: |
| 4 |
> 190311 Neil Bothwick wrote: |
| 5 |
> > Do you have any other Host stanzas in the config? |
| 6 |
> |
| 7 |
> No : /etc/ssh/ssh_config has the following uncommented lines : |
| 8 |
> |
| 9 |
> # Send locale environment variables. #367017 |
| 10 |
> SendEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC |
| 11 |
> LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME |
| 12 |
> LC_PAPER LC_TELEPHONE # Send COLORTERM to match TERM. #658540 |
| 13 |
> SendEnv COLORTERM |
| 14 |
> # PP 190312 |
| 15 |
> Host 128.100.160.1 |
| 16 |
> KexAlgorithms +diffie-hellman-group1-sha1 |
| 17 |
> # Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr |
| 18 |
> |
| 19 |
> I tried adding the 'Ciphers' line, which is mentioned in the I/net page, |
| 20 |
> but Ssh chokes, so I commented it again : |
| 21 |
|
| 22 |
The ciphers do not come into play until the key exchange algos have been |
| 23 |
agreed upon. In your case the handshake does not reach this far and therefore |
| 24 |
you do not need (yet) to specify any additional ciphers. The server problem |
| 25 |
is still with the KexAlgorithms. |
| 26 |
|
| 27 |
> ~/.ssh/config has : |
| 28 |
> |
| 29 |
> Host 128.100.160.1 |
| 30 |
> KexAlgorithms +diffie-hellman-group1-sha1 |
| 31 |
> |
| 32 |
> The latest output ('538' above) shows that it reads ~/.ssh/config , |
| 33 |
> but apparently doesn't find what it wants there |
| 34 |
> & therefore goes on to /etc/ssh/ssh_config , on which it chokes. |
| 35 |
> Without the 'Cipher' line in the latter, it carries on with the handshake, |
| 36 |
> but eventually can't do the key exchange. |
| 37 |
> |
| 38 |
> I've just looked at the USE flags : |
| 39 |
> |
| 40 |
> root:528 ssh> eix net-misc/openssh |
| 41 |
> Available versions: 7.5_p1-r4 7.7_p1-r9^t 7.9_p1-r4^t {X X509 audit |
| 42 |
> bindist debug (+)hpn kerberos ldap ldns libedit libressl livecd pam +pie |
| 43 |
> sctp selinux skey ssh1 +ssl static test ABI_MIPS="n32" KERNEL="linux"} |
| 44 |
> Installed versions: 7.9_p1-r4^t([2019-03-09 22:25:11])(X ssl -X509 -audit |
| 45 |
> -bindist -debug -hpn -kerberos -ldns -libedit -libressl -livecd -pam -pie |
| 46 |
> -sctp -selinux -static -test ABI_MIPS="-n32" KERNEL="linux") |
| 47 |
> |
| 48 |
> NB Eix shows a Use flag 'ssh1', which Euses describes as : |
| 49 |
> |
| 50 |
> net-misc/openssh:ssh1 - Support the legacy/weak SSH1 protocol |
| 51 |
|
| 52 |
If you watch The Matrix, a 20 year old film, you will see why ssh version 1 |
| 53 |
should be disabled by default, or the machine on which it is enabled isolated |
| 54 |
from the Internet. |
| 55 |
|
| 56 |
|
| 57 |
> Can anyone offer further advice ? -- Thanks so far. |
| 58 |
|
| 59 |
I suggest you remove all settings for Host 128.100.160.1 from the /etc/ssh/ |
| 60 |
ssh_config file and place them in your ~/.ssh/config file only. Then run ssh: |
| 61 |
|
| 62 |
ssh -v 128.100.160.1 |
| 63 |
|
| 64 |
and check for a line like this: |
| 65 |
|
| 66 |
debug1: Reading configuration data /home/purslow/.ssh/config |
| 67 |
debug1: /home/purslow/.ssh/config line xx: Applying options for 128.100.160.1 |
| 68 |
debug1: Reading configuration data /etc/ssh/ssh_config |
| 69 |
debug1: Connecting to 128.100.160.1 ... blah-blah |
| 70 |
|
| 71 |
This will show you if ~/.ssh/config is being sourced, if the lines you have |
| 72 |
specified for Host 128.100.160.1 therein are being parsed by ssh and if the |
| 73 |
connection is attempted. |
| 74 |
|
| 75 |
The line which should come next is: |
| 76 |
|
| 77 |
debug1: Connection established. |
| 78 |
|
| 79 |
which will be followed with algos and ciphers exchange. |
| 80 |
|
| 81 |
HTH. |
| 82 |
-- |
| 83 |
Regards, |
| 84 |
Mick |
Archives