Web lists-archives.com

Re: Install openssh-server jessie version deb package on stretch




Thanks Roberto,

I have tried also the latest dropbear server but this is incompatible too

Do you have idea how can I find appropriate key exchange and cipher algorithms?

Il giorno gio 22 nov 2018 alle ore 19:42 Roberto C. Sánchez
<roberto@xxxxxxxxxx> ha scritto:
>
> On Thu, Nov 22, 2018 at 07:32:07PM +0100, owl700@xxxxxxxxx wrote:
> >    Hi, I have compatibility issues with the latest version of openssh-server
> >    and an old dropbear client, the dopbear client stops at preauth
> >    ov 22 14:34:03  myhostname sshd[3905]: debug1: Client protocol version
> >    2.0; client software version dropbear_0.46
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
> >    SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug1: Enabling compatibility mode
> >    for protocol 2.0
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug2: fd 3 setting O_NONBLOCK
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug2: Network child is on pid
> >    3906
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug3: preauth child monitor
> >    started
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug3: privsep user:group
> >    106:65534 [preauth]
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug1: permanently_set_uid:
> >    106/65534 [preauth]
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug1: list_hostkey_types:
> >    ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth]
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug3: send packet: type 20
> >    [preauth]
> >    Nov 22 14:34:03 myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent
> >    [preauth]
> >    I'm thinking about installing the previous version of the package (Jessie)
> >    [1]http://ftp.it.debian.org/debian/pool/main/o/openssh/openssh-server_7.9p1-4_amd64.deb
> >    Do you say that it is possible?
> >    Thanks
> >
>
> That is actually a terrible idea.
>
> You are better off editing /etc/sshd_config and enabling appropriate key
> exchange and cipher algorithms that are compatible with the old dropbear
> client.
>
> Given the potential security issues there, a beter approach is to
> instead create a copy of the current configuration, make the necessary
> changes to be compatible with dropbear, then run two sshd instances.
> Make the one with the weak algorithms only accessible to the IP from
> which the dropbear connection will initiate (you can do this in your
> system firewall) and then make it only accessible to the specific user
> (you can do this with an AllowUsers directive in that instances
> sshd_config).  The other instance can remain accessible as you currently
> have it with no degradation of security.
>
> You will also need to decide which instance will run on which ports,
> since both cannot occupy the same port.  Alternately, if the machine has
> multiple IP addresses, the two instances can be on the same port bound
> to different addresses.
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
>