如何在 Debian 8.0 上启用 diffie-hellman-group1-sha1 密钥交换?

如何在 Debian 8.0 上启用 diffie-hellman-group1-sha1 密钥交换?

我无法 ssh 到要求diffie-hellman-group1-sha1密钥交换方法的服务器:

ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

如何diffie-hellman-group1-sha1在 Debian 8.0 上启用密钥交换方法?

我已经尝试过(按照建议这里) 到

  1. 将以下行添加到我的/etc/ssh/ssh_config

    KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
    Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
    
  2. 重新生成密钥

    ssh-keygen -A
    
  3. 重新启动 ssh

    service ssh restart
    

    但仍然收到错误。

答案1

OpenSSH 网站有一个页面专门用于遗留问题比如这个。它建议采用以下方法,在客户端上

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123

或者更永久地添加

Host 123.123.123.123
    KexAlgorithms +diffie-hellman-group1-sha1

~/.ssh/config

这将启用旧算法在客户端上,允许它连接到服务器。

答案2

我尝试了这个解决方案,但我的问题是我有许多(旧)客户端连接到我最近升级的服务器(ubuntu 14 -> ubuntu 16)。

openssh6 -> openssh7 的更改默认禁用diffie-hellman-group1-sha1密钥交换方法。

看完之后我想出了需要对文件进行的更改/etc/ssh/sshd_config

#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc

但更广泛的遗留变化是(取自这里

#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

答案3

我也面临同样的问题,但通过执行以下命令解决了它。您无需重新启动 SSH 服务器即可完成此操作 -

问题:

ssh [email protected]
protocol identification string lack carriage return
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
root@shoesdekho#

解决方案:

ssh -o KexAlgorithms=diffie-hellman-group1-sha1 [email protected]

在其他系统上,我观察到使用上述命令也不起作用。尝试添加密码用命令。查看完整命令如下 -

root@shoesdekho#ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-cbc [email protected]                    
protocol identification string lack carriage return
Warning: Permanently added '123.123.123.123' (RSA) to the list of known hosts.
Password:


This computer system is restricted to authorized users.
 Unauthorized access attempts will be prosecuted.
 If unauthorized, disconnect now.

bookmiday#

答案4

如果您想永远摆脱这些头痛,永远不必再担心或与之抗衡,请将其附加到 /etc/ssh/ssh_config 文件的末尾:

Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,[email protected],[email protected]

这伴随着这里其他人的常见警告……天啊,天塌下来了,你如此不安全。哇......对于这样的人,我建议不要把你的消极和无益的评论留给自己。我们这里都是专业人士。我们知道使用已弃用的密码和密钥交换的风险是什么。有时会有一些用例,例如访问报废或旧系统。

顺便说一句,如果需要的话,上述内容可以仅限于特定主机。这不是一个坏主意,但这取决于你。现在,你有责任明智地运用从上述获得的力量和能力来做什么。

相关内容