ssh no longer able to connect to older hosts

Fedora33 implements higher security standards, not only for server side, but even when it comes to client connections.

This includes more restrictive rules on accepted Ciphers, Kex (key exchange) algorithms, etc.

Unfortunately this leads to situation in which you can no longer connect to older hosts, like CentOS5, some switches, for example JunOS12.

If you start getting the similar SSH errors:

=================

debug1: send_pubkey_test: no mutual signature algorithm
debug1: kex: algorithm: (no match)
Unable to negotiate with xx.xx.xx.xx port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 

=================

 

What you can do is  slightly tune the openssh client requirements.
 
You can put this on your config. This exact config will cover all hosts which you connect to, but if you wish this only on specific machines, instead of the wildcard '*' put the name or the IP of your machines, separated by 'space'

In file: ~/.ssh/config

Add/Edit the following section

=================
Host *
        KexAlgorithms +diffie-hellman-group1-sha1
        Ciphers +aes256-cbc
        PubkeyAcceptedKeyTypes +ssh-rsa
=================
 
This will probably fix a lot of issues for you. 


Posted by No comments:

git: error: gpg failed to sign the data

If you try to sign commit with git, and you get the following error:

====================== 

error: gpg failed to sign the data

fatal: failed to write commit object
======================
 
  1. Check your ~/.gitconfig file, which must include at least the following sections:
    [user]
            name = Your Name Here
            email = your@email.com
            #key ID coming from gpg --list-keys
            signingkey = AABBCCDDFF112233445566
    [commit]
            gpgsign = 1
    [gpg]
            #could be gpg or gpg2 or full path to them
            program = gpg2     
  2. If above is fine, check if your GPG is working correctly on the following link:
 gpg or gpg2 gpg: signing failed: Inappropriate ioctl for device
Posted by No comments:

gpg or gpg2 gpg: signing failed: Inappropriate ioctl for device

 If you ever get the following error, while trying to sign with gpg:

gpg: signing failed: Inappropriate ioctl for device

try the following steps

Test if gpg is actually working:

====================== 

echo "test" | gpg2 --clearsign
======================
If you get error like this: 
 
====================== 
[root@localhost]# echo "test" | gpg2 --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test
gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device 
======================
 

then try the following:

======================
[root@localhost]# export GPG_TTY=$(tty)
======================
 
If this fixes the problem, add it to your .bashrc or .bash_profile file 



Posted by No comments:
Subscribe to: Posts (Atom)