Um sich mit Rechnern zu verbinden, die schon lange kein Update mehr erhalten haben und keines mehr erhalten können oder sollen, muss man die Bedingungen für den Schlüsselaustausch anpassen, ansonsten kommt es zu Negotiation-Errors.
Eine Möglichkeit ist auf dem "neuen" Rechner, von dem aus die Verbindung gestartet wird, die Bedingungen zu lockern. Dazu hinterlegt man in der ./ssh/config den Wert
Host IP-ADRESSE
KexAlgorithms +diffie-hellman-group1-sha1bzw.
Host IP-ADRESSE
HostKeyAlgorithms +ssh-rsa,ssh-dssKexAlgorithms
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. If the specified list begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified algorithms will be placed at the head of the default set. The default is:
curve25519-sha256,curve25519-sha256 [at] libssh [dot] org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256
The list of available key exchange algorithms may also be obtained using "ssh -Q kex".HostKeyAlgorithms
HostKeyAlgorithms
Specifies the host key signature algorithms that the client wants to use in order of preference. Alternately if the specified list begins with a ‘+’ character, then the specified signature algorithms will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified signature algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified signature algorithms will be placed at the head of the default set. The default for this option is:
ssh-ed25519-cert-v01 [at] openssh [dot] com,
ecdsa-sha2-nistp256-cert-v01 [at] openssh [dot] com,
ecdsa-sha2-nistp384-cert-v01 [at] openssh [dot] com,
ecdsa-sha2-nistp521-cert-v01 [at] openssh [dot] com,
sk-ssh-ed25519-cert-v01 [at] openssh [dot] com,
sk-ecdsa-sha2-nistp256-cert-v01 [at] openssh [dot] com,
rsa-sha2-512-cert-v01 [at] openssh [dot] com,
rsa-sha2-256-cert-v01 [at] openssh [dot] com,
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256 [at] openssh [dot] com,
sk-ssh-ed25519 [at] openssh [dot] com,
rsa-sha2-512,rsa-sha2-256
If hostkeys are known for the destination host then this default is modified to prefer their algorithms.
The list of available signature algorithms may also be obtained using "ssh -Q HostKeyAlgorithms".
Tags