diff options
Diffstat (limited to 'users')
-rw-r--r-- | users/wpcarro/website/blog/posts.nix | 7 | ||||
-rw-r--r-- | users/wpcarro/website/blog/posts/ssh-oddities.md | 59 |
2 files changed, 66 insertions, 0 deletions
diff --git a/users/wpcarro/website/blog/posts.nix b/users/wpcarro/website/blog/posts.nix index 1dd6930a1eee..7766dabd6007 100644 --- a/users/wpcarro/website/blog/posts.nix +++ b/users/wpcarro/website/blog/posts.nix @@ -50,4 +50,11 @@ content = ./posts/tee-time.md; draft = false; } + { + key = "ssh-oddities"; + title = "SSH Oddities"; + date = 1657647994; + content = ./posts/ssh-oddities.md; + draft = false; + } ] diff --git a/users/wpcarro/website/blog/posts/ssh-oddities.md b/users/wpcarro/website/blog/posts/ssh-oddities.md new file mode 100644 index 000000000000..f6fa603f3e0c --- /dev/null +++ b/users/wpcarro/website/blog/posts/ssh-oddities.md @@ -0,0 +1,59 @@ +## Background + +I was trying to debug a service over `ssh` that offered password-only +authentication, but I couldn't seem to get the `ssh` client to prompt me for the +password. + +It looked something like this (skip ahead to the conclusion if you're pressed +for time): + +## Troubleshooting + +```shell +λ ssh root@[redacted] +Unable to negotiate with [redacted] port 22: no matching host key type found. Their offer: ssh-rsa +``` + +But the same command was working just fine for my coworker. + +I took a closer look with `ssh -v root@[redacted]`, but nothing jumped-out at +me. Maybe it's something with *my* `ssh` configuration; let's remove that +variable: + +```shell +λ ssh -F /dev/null root@[redacted] +Unable to negotiate with [redacted] port 22: no matching host key type found. Their offer: ssh-rsa +``` + +> Ah it looks like there's a way to set my preferred authentication method... +> -- me + +```shell +λ ssh -F /dev/null -o PreferredAuthentications=password root@[redacted] +Unable to negotiate with [redacted] port 22: no matching host key type found. Their offer: ssh-rsa +``` + +## Conclusion + +Well it turns-out that newer SSH clients disable the `ssh-rsa` public key +signature algorithm because it depends on SHA-1, which is considered insecure. + +```shell +λ ssh -V +OpenSSH_9.0p1, OpenSSL 1.1.1p 21 Jun 2022 +``` + +...and according to the `ssh -v` output, the server is running an pre-COVID(!!!) +version of `ssh`: + +``` +debug1: Remote protocol version 2.0, remote software version dropbear_2018.76 +``` + +So if you don't have time to upgrade the SSH server, and you just want to +connect, the following should work because we're *opting-into* the less secure +option: + +```shell +λ ssh -o HostKeyAlgorithms=+ssh-rsa root@[redacted] +``` |