XPost: uk.comp.os.linux   
   From: java@evij.com.invalid   
      
   On 26/08/2024 08:47, Richard Kettlewell wrote:   
   >   
   > Java Jive  writes:   
   >>   
   >> This is what the failure looks like from the server with maximum   
   >> debugging options:   
   >>   
   >> [...]   
   >   
   > Server is OpenSSH 5.9p1:   
   >   
   >> debug1: sshd version OpenSSH_5.9p1   
   >> debug3: Incorrect RSA1 identifier   
   >   
   > Server has (among others) an ECDSA host key.   
   >   
   > Client is OpenSSH 8.9p1:   
   >   
   >> debug1: Client protocol version 2.0; client software version OpenSSH_8.9p1   
   Ubuntu-3ubuntu0.10   
   >   
   > Server’s supported host key mechanisms:   
   >   
   >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth]   
   >   
   > Client’s supported host key mechanisms:   
   >   
   >> debug2: kex_parse_kexinit:   
   >> ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,   
   sh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@ope   
   ssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,sk-ssh-ed25519-   
   ert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.   
   com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@open   
   sh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,sk-ss   
   -ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2   
   512,rsa-sha2-256   
   >   
   > ecdsa-sha2-nistp521 appears in both and the server has an ECDSA host   
   > key, so host key verification is possible.   
   >   
   > The public key authentication mechanism aren’t logged but there is no   
   > shared RSA mechanism - the server only has ssh-rsa (i.e. RSA with SHA-1)   
   > while the client only has rsa-sha2-512 and rsa-sha2-256 (i.e. RSA with   
   > SHA-512 or SHA-256).   
   >   
   > Looking at the OpenSSH release notes:   
   >   
   > * ssh-rsa was disabled in OpenSSH 8.7 because it’s broken;   
   >    your OpenSSH 8.9p1 client therefore has it disabled by default.   
   > * rsa-sha2-256 and rsa-sha2-512 were added in OpenSSH 7.2;   
   >    your OpenSSH 5.9p1 client therefore cannot use them.   
   >   
   > So my guess was basically right, although I’d got client and server the   
   > wrong way round.   
   >   
   > I think your options are:   
   >   
   > * Upgrade the server to something from this decade; it should start   
   >    using one of the SHA2 mechanisms with your existing RSA keys.   
      
   Not possible without considerable work, more than those 2 boxes are   
   worth (actually possibly 4, of 2 different models; after the failure   
   with these 2, I didn't bother to test the 2 NMPs)   
      
   > * Create an ECDSA key on the client(s) and use that to authenticate to   
   >    the server.   
      
   I'll investigate that.   
      
   > * Re-enable ssh-rsa in the OpenSSH 8.9p1 client, if you don’t care about   
   >    security.   
      
   I'll investigate that too.   
      
   I do care about security, hence my using ssh in the first place, but   
   only so far, because this is a private LAN at my home and the chances of   
   strangers getting to be in a position to try to hack it are quite low in   
   the first place.   
      
   Thanks for your comprehensive analysis.  I did try examining the debug   
   log for myself, but I couldn't find a way in to understanding what was   
   happening, so your help has been invaluable.  Tx again.   
      
   --   
      
   Fake news kills!   
      
   I may be contacted via the contact address given on my website:   
   www.macfh.co.uk   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)