X-Recipient: archive-cygwin AT delorie DOT com
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 790C93858401
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none)
 header.from=SystematicSw.ab.ca
Authentication-Results: sourceware.org;
 spf=none smtp.mailfrom=systematicsw.ab.ca
X-Authority-Analysis: v=2.4 cv=P+4pOwMu c=1 sm=1 tr=0 ts=6188afe9
 a=T+ovY1NZ+FAi/xYICV7Bgg==:117 a=T+ovY1NZ+FAi/xYICV7Bgg==:17
 a=IkcTkHD0fZMA:10 a=ZO_AHefkAAAA:8 a=w_pzkKWiAAAA:8 a=Jgg1ptHRAAAA:8
 a=TImcKGuyeGIbufSLrCcA:9 a=QEXdDO2ut3YA:10 a=1IxSaLXxkGYA:10
 a=pFWwjSa0iIoA:10 a=WDHEmAT1HsQJqKshFdZ4:22 a=sRI3_1zDfAgwuvI8zelB:22
 a=4mgyOzJUegitewK6Gv8e:22
Message-ID: <846d44e8-6b8d-456e-aab2-86d81eb1d323@SystematicSw.ab.ca>
Date: Sun, 7 Nov 2021 22:04:40 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.3.0
Subject: Re: Problem with OpenSSH
Content-Language: en-CA
To: cygwin AT cygwin DOT com
References: <004701d7d433$5f9415c0$1ebc4140$@nickpopoff.net>
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Organization: Systematic Software
In-Reply-To: <004701d7d433$5f9415c0$1ebc4140$@nickpopoff.net>
X-CMAE-Envelope: MS4xfMcLdn1rmAjOPhEs1SPaGu6GW+GijnL54okHqlcbG+C2DRVB7CtJvBwFMofbu17cUKGqPs/4xlULZFJEhhFoQNFw3GwdBy2GqFt6qZnRj7tZLE8WFxbL
 OL1q+hMOySimQ2yMTIk9kQWKIweMWt4LCqCmdePozmDevprJaiqyb6aPjRGT5Ny2zuP4wccW+sgk5+qBWqkpPatELSPW3ZVRZq+k1e2hZuW8/uDL0CU3LSeO
X-Spam-Status: No, score=-1165.8 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Reply-To: cygwin AT cygwin DOT com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

On 2021-11-07 16:58, Nick Popoff wrote:
> Now I Am having severe problem with 'ssh'.  A simple login command like:
> Ssh nick AT  DOT  DOT  DOT  DOT com <mailto:nick AT  DOT  DOT  DOT  DOT com>
> Results in the following response:
> C:/cygwin64/home/Nick> ssh host.com
> Unable to negotiate with <IP> port 22: no matching key exchange method
> found. Their offer:
> gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,
> diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> This is a fresh install of Cygwin on a clean Windows 11.  I went back to 3.2
> for now as I cannot work with 3.3.1. > In other words, the 3.3.1 ssh.exe does not accept legacy kex
> algorithms at all, no matter what.  I no longer can log in to
> Solaris.  For example, it DOES NOT accept the following: > ssh.exe -o KexAlgorithms=+diffie-hellman-group14-sha1 nick AT host DOT com> 
Unable to negotiate with 50.248.140.9 port 22: no matching host key
> type found. Their offer: ssh-rsa,ssh-dss > Version 3.2 had no problem with legacy algorithms. Can somebody 
explain as
> to what is going on here. Is it a bug? Or a deliberate break of 
> compatibility?
Cygwin release has little to do with the independent package releases, 
in your case openssh which contains the ssh utilities.
Which platform and releases of SSH and SSL are you running in your PATH:

	$ which -a ssh
	/usr/bin/ssh
	/cygdrive/c/WINDOWS/System32/OpenSSH/ssh
	$ ssh -V	# You may well be running Cygwin OpenSSL 1.1.1l
	OpenSSH_8.8p1, OpenSSL 1.1.1k  25 Mar 2021
	$ /cygdrive/c/WINDOWS/System32/OpenSSH/ssh -V
	OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

If you are running Cygwin OpenSSH 8.2 or later, the announcement last 
year warns that all certain algorithms are now disabled by default, and 
how they may be re-enabled until other systems get upgraded:

https://cygwin.com/pipermail/cygwin-announce/2020-February/009407.html

"openssh 8.2p1-1

...

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

  * ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
    CASignatureAlgorithms list.

  * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
    from the default key exchange proposal for both the client and
    server.

  * ssh-keygen(1): the command-line options related to the generation
    and screening of safe prime numbers used by the
    diffie-hellman-group-exchange-* key exchange algorithms have
    changed. Most options have been folded under the -O flag.
..."

The more recent OpenSSH 8.8 announcement disables RSA signatures using 
SHA1 algorithms but has an example showing how you may re-enable 
deprecated algorithms for specific hosts:

https://cygwin.com/pipermail/cygwin-announce/2021-October/010257.html

"openssh 8.8p1-1

...

Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K
...

~/.ssh/config

...

     Host old-host
         HostkeyAlgorithms +ssh-rsa
         PubkeyAcceptedAlgorithms +ssh-rsa

..."

so for your legacy host you may also wish to add entries like:

     Host solaris-host.com
         HostkeyAlgorithms +ssh-rsa
         PubkeyAcceptedAlgorithms +ssh-rsa
	KexAlgorithms +diffie-hellman-group14-sha1

Each OpenSSH announcement also includes the section:

"...

Future deprecation notice
=========================

..."

which should be read by everyone using ssh for any purpose.
Of note is that scp will be upgraded to use SFTP in future instead of 
the legacy protocol.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple