libcrypto 通过 SFTP/SSH 将 RHEL 9 服务器连接到 Centos 6 时出错

libcrypto 通过 SFTP/SSH 将 RHEL 9 服务器连接到 Centos 6 时出错

我正在尝试从新的 RHEL9 服务器连接到旧的 Centos 6 服务器,以便将文件从旧服务器 SFTP 传输到新服务器进行升级,但是当从 9 连接到 6 时出现以下错误:

[ewessel@ftp ~]$ ssh -v [email protected]
OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 10.30.1.250 [10.30.1.250] port 22.
debug1: Connection established.
debug1: identity file /home/ewessel/.ssh/id_rsa type -1
debug1: identity file /home/ewessel/.ssh/id_rsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_dsa type -1
debug1: identity file /home/ewessel/.ssh/id_dsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ed25519 type -1
debug1: identity file /home/ewessel/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ewessel/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ewessel/.ssh/id_xmss type -1
debug1: identity file /home/ewessel/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to 10.30.1.250:22 as 'ewessel'
debug1: load_hostkeys: fopen /home/ewessel/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_GROUP received
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: SSH2_MSG_KEX_DH_GEX_REPLY received
debug1: Server host key: ssh-rsa SHA256:nMDl3BNpsOOJ6gyMudi6szQS3Pchxe2Ttmj1dH9fLB8
debug1: load_hostkeys: fopen /home/ewessel/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.30.1.250' is known and matches the RSA host key.
debug1: Found key in /home/ewessel/.ssh/known_hosts:1
ssh_dispatch_run_fatal: Connection to 10.30.1.250 port 22: error in libcrypto

如果我尝试以其他方式连接,则会收到以下错误:

[ewessel@ftp ~]$ ssh -v [email protected]
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.30.1.225 [10.30.1.225] port 22.
debug1: Connection established.
debug1: identity file /home/ewessel/.ssh/identity type -1
debug1: identity file /home/ewessel/.ssh/identity-cert type -1
debug1: identity file /home/ewessel/.ssh/id_rsa type -1
debug1: identity file /home/ewessel/.ssh/id_rsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_dsa type -1
debug1: identity file /home/ewessel/.ssh/id_dsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg

知道如何让这两台机器互相通信吗?我想将用户文件从旧机器复制到新机器,这样我就可以停用旧的 Centos 6 机器。

答案1

RHEL 9 默认采用更强大的加密密码和算法,破坏了与旧系统的兼容性。

RHEL 9 系统上的 SSH 守护程序的选项是:

  • 将系统范围的加密策略切换为与早期版本兼容的模式,如RHEL 9 强化指南. 以root(或与sudo) 方式运行:

    # update-crypto-policies --set LEGACY
    Setting system policy to LEGACY
    

    然后重新启动。

    笔记:这改变了全部守护进程和系统设置,如果只需要调整 ssh 和 sshd 的设置,那就有点小题大做了。

  • /etc/sysconfig/sshd从系统范围的加密策略中排除(仅) sshd。您可以通过编辑并取消注释行 来选择退出# CRYPTO_POLICY=(如有必要,您可以调整/etc/ssh/sshd_config并添加旧加密设置)并重新启动 ssh 守护程序。

对于 RHEL 9 系统上的 ssh 命令行客户端:建议您通过˜/.ssh/config添加主机条目来编辑和覆盖现代/安全的系统范围 ssh 客户端默认值,该条目添加了对该特定主机的合适的旧式加密选项的支持:

#    ˜/.ssh/config

Host rhel6.example.com
  KexAlgorithms +diffie-hellman-group14-sha1
  MACs +hmac-sha1
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

答案2

如果您不想修改系统范围的加密策略,这可能会降低整个系统的安全性,那么请发表我的看法。

然后,您需要创建一个文件/var/tmp/openssl.cnf

.include /etc/ssl/openssl.cnf
[openssl_init]
alg_section = evp_properties
[evp_properties]
rh-allow-sha1-signatures = yes

现在您可以通过 SSH 连接到 RHEL 5 或 RHEL 6 主机,如下所示:

OPENSSL_CONF=/var/tmp/openssl.cnf ssh rhel5or6-host

这是必要的,因为 RHEL 9 还通过禁用 SHA1 支持来削弱 openssl 库。这就是为什么编辑/etc/ssh/ssh_config.d/01-crypto-policy-override.conf或还~/.ssh/config不够的原因。

顺便说一句,这不是我的。这是原帖,从 RHEL 9 SSH 到 RHEL 5 或 RHEL 6。还有一个请求使其更加模块化,以便您可以控制应用程序的加密策略,而不是系统范围的加密策略,以下是Bugzilla

答案3

我刚刚遇到了同样的问题,上面的答案确实为我解决了这个问题。使用这些 ssh 设置,初始握手已建立,但 ssh 一直失败

ssh_dispatch_run_fatal: Connection to 192.168.121.188 port 22: error in libcrypto

最后,解决这个问题的方法是改变 EL9 的通用“加密策略”,使用

update-crypto-policies --set LEGACY

请注意,上面的命令除了改变 ssh 客户端之外,还改变了许多其他东西,因此您可能需要检查更新加密策略手册并选择更具选择性的选项。

答案4

为了帮助解决从新的 RHEL9 服务器连接到较旧的 CentOS 6 服务器进行 SFTP 文件传输时遇到的错误,请按照以下步骤操作:在 ~/.ssh 目录中创建一个名为“config”的配置文件。该文件不应有扩展名。您可以使用命令 touch config 来创建它。使用您选择的文本编辑器(例如 Vim、Vi 或 Nano)打开“config”文件。将以下代码粘贴到“config”文件中:在此处输入代码在此处输入代码

KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
HostkeyAlgorithms ssh-dss,ssh-rsa
Host rhel9.example.com
  KexAlgorithms +diffie-hellman-group14-sha1
  MACs +hmac-sha1
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

粘贴代码后保存文件。重新启动 SSH 服务器,方法是重新启动 sshd 服务或重新启动服务器。具体方法可能因您使用的发行版而异。通过遵循这些步骤,您应该能够消除连接到 CentOS 6 服务器时遇到的错误。此配置在通过 SSH 连接到 Cisco 路由器时也很有用。

相关内容