Web lists-archives.com

Re: Install openssh-server jessie version deb package on stretch




On Thu, Nov 22, 2018 at 07:32:07PM +0100, owl700@xxxxxxxxx wrote:
>    Hi, I have compatibility issues with the latest version of openssh-server
>    and an old dropbear client, the dopbear client stops at preauth
>    ov 22 14:34:03  myhostname sshd[3905]: debug1: Client protocol version
>    2.0; client software version dropbear_0.46
>    Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46
>    Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
>    SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
>    Nov 22 14:34:03 myhostname sshd[3905]: debug1: Enabling compatibility mode
>    for protocol 2.0
>    Nov 22 14:34:03 myhostname sshd[3905]: debug2: fd 3 setting O_NONBLOCK
>    Nov 22 14:34:03 myhostname sshd[3905]: debug2: Network child is on pid
>    3906
>    Nov 22 14:34:03 myhostname sshd[3905]: debug3: preauth child monitor
>    started
>    Nov 22 14:34:03 myhostname sshd[3905]: debug3: privsep user:group
>    106:65534 [preauth]
>    Nov 22 14:34:03 myhostname sshd[3905]: debug1: permanently_set_uid:
>    106/65534 [preauth]
>    Nov 22 14:34:03 myhostname sshd[3905]: debug1: list_hostkey_types:
>    ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth]
>    Nov 22 14:34:03 myhostname sshd[3905]: debug3: send packet: type 20
>    [preauth]
>    Nov 22 14:34:03 myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent
>    [preauth]
>    I'm thinking about installing the previous version of the package (Jessie)
>    [1]http://ftp.it.debian.org/debian/pool/main/o/openssh/openssh-server_7.9p1-4_amd64.deb
>    Do you say that it is possible?
>    Thanks
> 

That is actually a terrible idea.

You are better off editing /etc/sshd_config and enabling appropriate key
exchange and cipher algorithms that are compatible with the old dropbear
client.

Given the potential security issues there, a beter approach is to
instead create a copy of the current configuration, make the necessary
changes to be compatible with dropbear, then run two sshd instances.
Make the one with the weak algorithms only accessible to the IP from
which the dropbear connection will initiate (you can do this in your
system firewall) and then make it only accessible to the specific user
(you can do this with an AllowUsers directive in that instances
sshd_config).  The other instance can remain accessible as you currently
have it with no degradation of security.

You will also need to decide which instance will run on which ports,
since both cannot occupy the same port.  Alternately, if the machine has
multiple IP addresses, the two instances can be on the same port bound
to different addresses.

Regards,

-Roberto

-- 
Roberto C. Sánchez