我无法 ssh 到要求diffie-hellman-group1-sha1密钥交换方法的服务器:
ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
如何diffie-hellman-group1-sha1在 Debian 8.0 上启用密钥交换方法?
我已经尝试过(按照建议这里) 到
将以下行添加到我的
/etc/ssh/ssh_configKexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr重新生成密钥
ssh-keygen -A重新启动 ssh
service ssh restart但仍然收到错误。
答案1
OpenSSH 网站有一个页面专门用于遗留问题比如这个。它建议采用以下方法,在客户端上:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
或者更永久地添加
Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1
到~/.ssh/config。
这将启用旧算法在客户端上,允许它连接到服务器。
答案2
我尝试了这个解决方案,但我的问题是我有许多(旧)客户端连接到我最近升级的服务器(ubuntu 14 -> ubuntu 16)。
openssh6 -> openssh7 的更改默认禁用diffie-hellman-group1-sha1密钥交换方法。
看完之后这和这我想出了需要对文件进行的更改/etc/ssh/sshd_config:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
但更广泛的遗留变化是(取自这里)
#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
答案3
我也面临同样的问题,但通过执行以下命令解决了它。您无需重新启动 SSH 服务器即可完成此操作 -
问题:
ssh [email protected]
protocol identification string lack carriage return
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
root@shoesdekho#
解决方案:
ssh -o KexAlgorithms=diffie-hellman-group1-sha1 [email protected]
在其他系统上,我观察到使用上述命令也不起作用。尝试添加密码用命令。查看完整命令如下 -
root@shoesdekho#ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-cbc [email protected]
protocol identification string lack carriage return
Warning: Permanently added '123.123.123.123' (RSA) to the list of known hosts.
Password:
This computer system is restricted to authorized users.
Unauthorized access attempts will be prosecuted.
If unauthorized, disconnect now.
bookmiday#
答案4
如果您想永远摆脱这些头痛,永远不必再担心或与之抗衡,请将其附加到 /etc/ssh/ssh_config 文件的末尾:
Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,[email protected],[email protected]
这伴随着这里其他人的常见警告……天啊,天塌下来了,你如此不安全。哇......对于这样的人,我建议不要把你的消极和无益的评论留给自己。我们这里都是专业人士。我们知道使用已弃用的密码和密钥交换的风险是什么。有时会有一些用例,例如访问报废或旧系统。
顺便说一句,如果需要的话,上述内容可以仅限于特定主机。这不是一个坏主意,但这取决于你。现在,你有责任明智地运用从上述获得的力量和能力来做什么。