Categories

## Connecting to legacy servers with OpenSSH

Phasing out legacy cryptographic algorithms can always be an interesting endeavor as terminating to early breaks stuff and to late it can lead to a compromise. OpenSSH disabled DSA with version 7.0 in March 2015 as 5 years earlier it was discovered that DSA was compromised and labelled as insecure. Normally this shouldn’t be a problem with a normal software life cycle, but sometimes you will encounter a legacy box that will not be upgraded as it will break things. Now it will stop new connections being setup from upgraded to machines as with SSH.

$ssh user@server.example.org Unable to negotiate with server.example.org port 22: no matching host key type found. Their offer: ssh-dss  For an incidental connection from the command line the algorithm can be enabled again to connect with a legacy machine. $ ssh -o HostKeyAlgorithms=+ssh-dss user@server.example.org


For automated processed or when scripts can’t be modified a setting for OpenSSH can also be set in \$HOME/.ssh/config for the account depending on this option to be set.

Host server.example.org
HostKeyAlgorithms=+ssh-dss


Re-enabling broken algorithms like DSA should only be done for a limited time and scope. In a lot of commercial environments these algorithms aren’t allowed to be enabled again. Also in most cases the code to run these obsolete algorithms can be removed in a later version as already is the case with SSL 3.0 and earlier for example.