Living with an antiquated webhost post openssh-7.0p1-1 [SOLVED]

graysky · 2015-08-17 19:16:32

My godaddy host is running OpenSSH_5.1 and using ars128-ctr as their server key it would seem. Once I updated to 7.0p1-1 I am unable to ssh into the vhost:

% ssh foo@mygodaddy.com
Unable to negotiate with xx.xx.xx.xx: no matching host key type found. Their offer: ssh-dss

Downgrading to 6.9p1-2 of course fixes this. I am at a loss as to how to switch over the host to use a compatible key since they only supply us with user/ssh access without root.

Useful advise is appreciated. Thanks!

Last edited by graysky (2015-08-17 19:31:37)

Raynman · 2015-08-17 19:25:24

From the Arch news to the upstream announcement:

Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html

graysky · 2015-08-17 19:31:24

Perfect, thank you.

ssh -oHostKeyAlgorithms=+ssh-dss foo@mygoddy.com

EDIT: updated the wiki: https://wiki.archlinux.org/index.php/Se … penSSH_7.0

Last edited by graysky (2015-08-17 19:38:20)

severach · 2015-08-19 20:58:45

I added this to my /etc/ssh/ssh_config so the clients could continue to operate unmodified without sprinkling -o all over. This will be easier to take out when the servers upgrade. This can probably be added somewhere in /etc/ssh/sshd_config for the servers but this should be avoided. The clients should renegotiate.

HostKeyAlgorithms +ssh-dss

HostKeyAlgorithms=+ssh-dss also works but I don't like that form because it doesn't resemble the documentation and config files, and it conflicts with the expected syntax for appending something: foo+=bar. += won't work with HostKeyAlgorithms.

I tried to erase the ssh-dss lines from known_hosts to get the connections to pick another but they won't. All I get is Their offer: ssh-dss. Aren't there dozens of available protocols?

Q1: Why don't the servers just renegotiate another one? Why are the servers stuck on this loser?

Q2: Why didn't OpenSSH deprecate ssh-dss from the server first and the client later to give servers a chance to upgrade?

lftp may have already overwritten other connections previously using ssh-dss. Here are the 3 that remain for me:

# telnet legacyserver 22
SSH-2.0-1.36_sshlib GlobalSCAPE
SSH-2.0-1.82_sshlib GlobalSCAPE
SSH-2.0-5.19 FlowSsh: Bitvise SSH Server (WinSSHD) 6.02

We see this on the servers that continue to work with OpenSSH 7.0 client at defaults:

# ssh -vv pre70server
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
# ssh -vv post70server
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

For the servers that won't work we see this

# ssh -vv legacyserver
debug2: kex_parse_kexinit: ssh-dss

My freeftpd sftp server shows this:

debug2: kex_parse_kexinit: ssh-rsa

A1: ssh-dss is all the server offers.

A2: OpenSSH is minimally affected because it offers all the remaining protocols. Other ssh & sftp servers offer a limited selection. Few servers limit the selection to only ssh-dss.

Arch Linux

#1 2015-08-17 19:16:32

Living with an antiquated webhost post openssh-7.0p1-1 [SOLVED]

#2 2015-08-17 19:25:24

Re: Living with an antiquated webhost post openssh-7.0p1-1 [SOLVED]

#3 2015-08-17 19:31:24

Re: Living with an antiquated webhost post openssh-7.0p1-1 [SOLVED]

#4 2015-08-19 20:58:45

Re: Living with an antiquated webhost post openssh-7.0p1-1 [SOLVED]

Board footer