delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2020/04/20/10:54:55

X-Recipient: archive-cygwin AT delorie DOT com
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 25150384B104
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none)
header.from=SystematicSw.ab.ca
Authentication-Results: sourceware.org;
spf=none smtp.mailfrom=brian DOT inglis AT systematicsw DOT ab DOT ca
X-Authority-Analysis: v=2.3 cv=ecemg4MH c=1 sm=1 tr=0
a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17
a=IkcTkHD0fZMA:10 a=HU1OPnRnAAAA:8 a=QWgh4cG91-Rk6s4hAfsA:9 a=QEXdDO2ut3YA:10
a=P3yLNOpNF_cA:10 a=8nfKT-2EcRIA:10 a=vQ5cN67eHy2kcvnFvKcb:22
Subject: Re: latest openssh can not connect to older server
To: cygwin AT cygwin DOT com
References: <CAPJ9Yc-qyZCVUKiBrRN7_Qm0Fx5bmujBE6iefk2Jp93HsJj9SA AT mail DOT gmail DOT com>
<CAK+zucnzzzdVoT=eKXyzJ6yuAy5NK6FUc54a_u7VqEfDAStVNA AT mail DOT gmail DOT com>
<81bb8ed0-e552-fa06-70c6-c587fa3e9b5c AT towo DOT net>
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Autocrypt: addr=Brian DOT Inglis AT SystematicSw DOT ab DOT ca; prefer-encrypt=mutual;
keydata=
mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0
LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA
PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW
AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO
WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB
BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5
/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF
IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5
RSyTY8X+AQ==
Organization: Systematic Software
Message-ID: <ad5361cf-3968-4a39-6be8-6737a3bf4195@SystematicSw.ab.ca>
Date: Mon, 20 Apr 2020 08:54:03 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <81bb8ed0-e552-fa06-70c6-c587fa3e9b5c@towo.net>
X-CMAE-Envelope: MS4wfPQMjeqqF7O+3jqgFGWVXgDQEZApaK0yjVJjPX/UFOFX96cjbONc/+aMOBAUopRYhWY5ZNdWuwzyl1Q0gm+mjk7g0i9N/Sk+CfGk/x1QRnK4QQU1lapU
GXeV4C3r6v/OEUJUQrpp3j5XvBtxa3nzA8QuTlh1+OoiP+4oEiWMOW9leOzphrok/Vo9k/eaeN6M6w==
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,
RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE,
TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <http://cygwin.com/mailman/options/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <http://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Reply-To: cygwin AT cygwin DOT com
Errors-To: cygwin-bounces AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces AT cygwin DOT com>
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 03KEsb1h020484 

On 2020-04-20 04:11, Thomas Wolff wrote:
> Am 19.04.2020 um 14:31 schrieb Sharuzzaman Ahmat Raslan via Cygwin:
>> On Sun, 19 Apr 2020, 8:13 pm David Balažic via Cygwin, wrote:
>>> I tried to backup some files from my server with scp and failed:
>>> $ scp  -v  root AT the DOT server:/root/a.file  .
>>> Executing: program /usr/bin/ssh host the.server, user root, command
>>> scp -v -f /root/a.file
>>> OpenSSH_8.2p1, OpenSSL 1.1.1f  31 Mar 2020
>>> debug1: Connecting to the.server [192.168.1.11] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /home/stein/.ssh/id_rsa type -1
>>> debug1: identity file /home/stein/.ssh/id_rsa-cert type -1
>>> debug1: identity file /home/stein/.ssh/id_dsa type -1
>>> debug1: identity file /home/stein/.ssh/id_dsa-cert type -1
>>> debug1: identity file /home/stein/.ssh/id_ecdsa type -1
>>> debug1: identity file /home/stein/.ssh/id_ecdsa-cert type -1
>>> debug1: identity file /home/stein/.ssh/id_ecdsa_sk type -1
>>> debug1: identity file /home/stein/.ssh/id_ecdsa_sk-cert type -1
>>> debug1: identity file /home/stein/.ssh/id_ed25519 type -1
>>> debug1: identity file /home/stein/.ssh/id_ed25519-cert type -1
>>> debug1: identity file /home/stein/.ssh/id_ed25519_sk type -1
>>> debug1: identity file /home/stein/.ssh/id_ed25519_sk-cert type -1
>>> debug1: identity file /home/stein/.ssh/id_xmss type -1
>>> debug1: identity file /home/stein/.ssh/id_xmss-cert type -1
>>> debug1: Local version string SSH-2.0-OpenSSH_8.2
>>> debug1: Remote protocol version 2.0, remote software version
>>> dropbear_2011.54
>>> debug1: no match: dropbear_2011.54
>>> debug1: Authenticating to the.server:22 as 'root'
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug1: kex: algorithm: (no match)
>>> Unable to negotiate with 192.168.1.11 port 22: no matching key
>>> exchange method found. Their offer:
>>> diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
>>> I tried OpenSSH_8.0p1-2 which is still available in the cygwin
>>> setup-x86_64.exe wizard and that version works fine.
>>> (the version above is 8.2.p1-1 in the setup wizard)
>> New OpenSSH client will not connect to server that use SHA1.
>> Please refer to this: https://www.openssh.com/legacy.html
>> You should configure your old server to use more modern cipher

> This isn't always a feasible approach. I access a WD MybookLive NAS storage
> via ssh. It still works with current openssh (8.2) but I wouldn't know how to
> find out the methods supported by my server and wouldn't like to risk the
> adventure to upgrade such a device. Therefore I'd suggest to configure in
> "legacy" methods in the cygwin openssh package as mentioned under the link
> above, to avoid such trouble.
Many corps maintain legacy applications on legacy systems using legacy devices,
and not everyone can afford (especially nowadays) the money or the effort or the
expertise, nor should they ever be forced (remember freedom) to upgrade legacy
devices, systems, or applications, as the vendor and/or code may be long gone.

When browsers and security libraries decided to incompatibly totally drop all
support for legacy SSL, rather than make continued use configurable on a per
site basis, I had to quickly reconfigure my recently purchased (and still CVE
free) router to downgrade from HTTPS to HTTP local port access to be able to
continue having access to it.
I could perhaps have tried to keep a legacy copy of some browser around, but
parallel releases are unsupported, and package upgrades try hard to ensure old
releases are eliminated.

[ToWo: From WD support, your NAS is EoL and unsupported, and the forums indicate
you may have a bigger problem (soon?) as Windows appears to be dropping support
for SMB1 required to access your NAS.
For OpenSSH, your best approach may be to get sources for it and its library
dependencies, and ensure that you can build them with cygport, so if all support
is dropped from OpenSSH as I would expect, you still have access. The advantage
of freedom!]

-- 
-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019