Categories
System Administration

Connecting to legacy servers with OpenSSH

Phasing out legacy cryptographic algorithms can always be an interesting endeavor as terminating to early breaks stuff and to late it can lead to a compromise. OpenSSH disabled DSA with version 7.0 in March 2015 as 5 years earlier it was discovered that DSA was compromised and labelled as insecure. Normally this shouldn’t be a problem with a normal software life cycle, but sometimes you will encounter a legacy box that will not be upgraded as it will break things. Now it will stop new connections being setup from upgraded to machines as with SSH.

$ ssh user@server.example.org Unable to negotiate with server.example.org port 22: no matching host key type found. Their offer: ssh-dss

For an incidental connection from the command line the algorithm can be enabled again to connect with a legacy machine.

$ ssh -o HostKeyAlgorithms=+ssh-dss user@server.example.org

For automated processed or when scripts can’t be modified a setting for OpenSSH can also be set in $HOME/.ssh/config for the account depending on this option to be set.

Host server.example.org
  HostKeyAlgorithms=+ssh-dss

Re-enabling broken algorithms like DSA should only be done for a limited time and scope. In a lot of commercial environments these algorithms aren’t allowed to be enabled again. Also in most cases the code to run these obsolete algorithms can be removed in a later version as already is the case with SSL 3.0 and earlier for example.