Thanks Roberto, I have tried also the latest dropbear server but this is incompatible too
Do you have idea how can I find appropriate key exchange and cipher algorithms? Il giorno gio 22 nov 2018 alle ore 19:42 Roberto C. Sánchez <robe...@debian.org> ha scritto: > > On Thu, Nov 22, 2018 at 07:32:07PM +0100, owl...@gmail.com wrote: > > Hi, I have compatibility issues with the latest version of openssh-server > > and an old dropbear client, the dopbear client stops at preauth > > ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version > > 2.0; client software version dropbear_0.46 > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46 > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string > > SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4 > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: Enabling compatibility > > mode > > for protocol 2.0 > > Nov 22 14:34:03 myhostname sshd[3905]: debug2: fd 3 setting O_NONBLOCK > > Nov 22 14:34:03 myhostname sshd[3905]: debug2: Network child is on pid > > 3906 > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: preauth child monitor > > started > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: privsep user:group > > 106:65534 [preauth] > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: permanently_set_uid: > > 106/65534 [preauth] > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: list_hostkey_types: > > ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth] > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: send packet: type 20 > > [preauth] > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent > > [preauth] > > I'm thinking about installing the previous version of the package > > (Jessie) > > > > [1]http://ftp.it.debian.org/debian/pool/main/o/openssh/openssh-server_7.9p1-4_amd64.deb > > Do you say that it is possible? > > Thanks > > > > That is actually a terrible idea. > > You are better off editing /etc/sshd_config and enabling appropriate key > exchange and cipher algorithms that are compatible with the old dropbear > client. > > Given the potential security issues there, a beter approach is to > instead create a copy of the current configuration, make the necessary > changes to be compatible with dropbear, then run two sshd instances. > Make the one with the weak algorithms only accessible to the IP from > which the dropbear connection will initiate (you can do this in your > system firewall) and then make it only accessible to the specific user > (you can do this with an AllowUsers directive in that instances > sshd_config). The other instance can remain accessible as you currently > have it with no degradation of security. > > You will also need to decide which instance will run on which ports, > since both cannot occupy the same port. Alternately, if the machine has > multiple IP addresses, the two instances can be on the same port bound > to different addresses. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez >
