From nobody Mon Jan 31 03:15:27 2022
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9B7D91993D5B
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 31 Jan 2022 03:15:36 +0000 (UTC)
	(envelope-from drosih@rpi.edu)
Received: from smtp7.server.rpi.edu (smtp7.server.rpi.edu [128.113.1.207])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "canit.localdomain", Issuer "canit.localdomain" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JnCqq51wRz3jNX;
	Mon, 31 Jan 2022 03:15:35 +0000 (UTC)
	(envelope-from drosih@rpi.edu)
Received: from mail-auth1.server.rpi.edu (mail-auth1.server.rpi.edu [128.113.1.231])
	by smtp7.server.rpi.edu (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 20V3FSLn072204
	(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Sun, 30 Jan 2022 22:15:28 -0500
Received: from mail-auth1.server.rpi.edu (localhost [127.0.0.1])
	by mail-auth1.server.rpi.edu (Postfix) with ESMTP id 4FBB158026;
	Sun, 30 Jan 2022 22:15:28 -0500 (EST)
Received: from [128.113.125.57] (calyx-57.net.rpi.edu [128.113.125.57])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: drosih)
	by mail-auth1.server.rpi.edu (Postfix) with ESMTPSA id 1066358003;
	Sun, 30 Jan 2022 22:15:28 -0500 (EST)
From: "Garance A Drosehn" <drosih@rpi.edu>
To: "Gary Palmer" <gpalmer@freebsd.org>
Cc: freebsd-stable@freebsd.org
Subject: Re: [EXTERNAL] SSHD, diffie-hellman-group1-sha1 , and FreeBSD
 13-stable
Date: Sun, 30 Jan 2022 22:15:27 -0500
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <7F2A9DA2-45CD-4C56-B911-D36AEF10983E@rpi.edu>
In-Reply-To: <YfdJcHkgLc561MHa@in-addr.com>
References: <C755168A-A95D-47A2-9C9B-410FB9E56FDF@rpi.edu>
 <YfdJcHkgLc561MHa@in-addr.com>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
Sender: owner-freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_MailMate_D6F8850A-4F23-42BA-81BF-1C4940881455_="
X-Virus-Scanned: ClamAV using ClamSMTP
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN)
X-Spam-Score: 0.00 () [Hold at 10.10] HTML_MESSAGE:0.001
X-CanIt-Incident-Id: 086NffsAL
X-CanIt-Geo: ip=128.113.125.57; country=US; region=New York; city=Troy; latitude=42.7841; longitude=-73.6756; http://maps.google.com/maps?q=42.7841,-73.6756&z=6
X-CanItPRO-Stream: outgoing
X-Canit-Stats-ID: Bayes signature not available
X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.1.207
X-Rspamd-Queue-Id: 4JnCqq51wRz3jNX
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=pass (policy=none) header.from=rpi.edu;
	spf=pass (mx1.freebsd.org: domain of drosih@rpi.edu designates 128.113.1.207 as permitted sender) smtp.mailfrom=drosih@rpi.edu
X-Spamd-Result: default: False [-1.78 / 15.00];
	 ARC_NA(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 FROM_HAS_DN(0.00)[];
	 TO_DN_SOME(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip4:128.113.1.200/29:c];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	 RCVD_COUNT_THREE(0.00)[4];
	 NEURAL_HAM_SHORT(-0.98)[-0.979];
	 RCPT_COUNT_TWO(0.00)[2];
	 DMARC_POLICY_ALLOW(-0.50)[rpi.edu,none];
	 NEURAL_SPAM_LONG(1.00)[1.000];
	 MLMMJ_DEST(0.00)[freebsd-stable];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 ASN(0.00)[asn:91, ipnet:128.113.0.0/16, country:US];
	 RCVD_TLS_LAST(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N


--=_MailMate_D6F8850A-4F23-42BA-81BF-1C4940881455_=
Content-Type: text/plain; format=flowed

On 30 Jan 2022, at 21:29, Gary Palmer wrote:

> On Sun, Jan 30, 2022 at 09:13:16PM -0500, Garance A Drosehn wrote:
>> In my older build of this server, I handled this need by adding
>> the line:
>> KexAlgorithms +diffie-hellman-group1-sha1
>> in /etc/ssh/sshd_config, and that worked fine.
>>
>> In the newer system that config line flags an error:
>>
>>    -# /usr/sbin/sshd -f /etc/ssh/sshd_config4 -t
>>    /etc/ssh/sshd_config4: line 156: Bad configuration option: 
>> KexAlgorithm
>
> There is a 1 character difference between the option named above and
>
> <trim>
>
>>    -# ssh -4e none -oKexAlgorithms=+diffie-hellman-group1-sha1 \
>>           -oCiphers=aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc 
>> \
>>           me@sad.ancient.server.rpi.edu
>
> the one used here.  That is why one works and one doesn't
>
> Regards,
>
> Gary

UGH.  Unbelievable!  It even occurred to me I might have a typo while I 
was writing my email, but I triple-checked only the 
'diffie-hellman-group1-sha1' part, and not the 'KexAlgorithms' part.

I'm now going to bang my head on my desk for a few minutes.  But this 
will save me quite a bit of work, so Thanks Muchly!

-- 
Garance Alistair Drosehn                =     drosih@rpi.edu
Lead Developer @rpi                   and    gad@FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA

--=_MailMate_D6F8850A-4F23-42BA-81BF-1C4940881455_=
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"=
>
</head>
<body>
<div><div class=3D"plaintext"><p dir=3D"auto">On 30 Jan 2022, at 21:29, G=
ary Palmer wrote:</p>
<blockquote><p dir=3D"auto">On Sun, Jan 30, 2022 at 09:13:16PM -0500, Gar=
ance A Drosehn wrote:</p>
<blockquote><p dir=3D"auto">In my older build of this server, I handled t=
his need by adding<br>
the line:<br>
KexAlgorithms +diffie-hellman-group1-sha1<br>
in /etc/ssh/sshd_config, and that worked fine.<br>
<br>
In the newer system that config line flags an error:<br>
<br>
   -# /usr/sbin/sshd -f /etc/ssh/sshd_config4 -t<br>
   /etc/ssh/sshd_config4: line 156: Bad configuration option: KexAlgorith=
m</p>
</blockquote><p dir=3D"auto">There is a 1 character difference between th=
e option named above and<br>
<br>
&lt;trim&gt;<br>
</p>
<blockquote><p dir=3D"auto">   -# ssh -4e none -oKexAlgorithms=3D+diffie-=
hellman-group1-sha1 \<br>
          -oCiphers=3Daes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cb=
c \<br>
          me@sad.ancient.server.rpi.edu</p>
</blockquote><p dir=3D"auto">the one used here.  That is why one works an=
d one doesn&#39;t<br>
<br>
Regards,<br>
<br>
Gary</p>
</blockquote><p dir=3D"auto">UGH.  Unbelievable!  It even occurred to me =
I might have a typo while I was writing my email, but I triple-checked on=
ly the &#39;diffie-hellman-group1-sha1&#39; part, and not the &#39;KexAlg=
orithms&#39; part.</p>
<p dir=3D"auto">I&#39;m now going to bang my head on my desk for a few mi=
nutes.  But this will save me quite a bit of work, so Thanks Muchly!</p>
</div>
<!DOCTYPE html><div dir=3D"auto" style=3D"color: rgb(0, 0, 0); font-famil=
y: sans-serif; font-style: normal; font-variant-caps: normal; font-weight=
: normal; letter-spacing: normal; orphans: auto; text-align: start; text-=
indent: 0px; text-transform: none; white-space: pre-wrap; widows: auto; w=
ord-spacing: 0px; -webkit-text-stroke-width: 0px;">-- =

</div><div dir=3D"auto" style=3D"color: rgb(0, 0, 0); font-family: sans-s=
erif; font-style: normal; font-variant-caps: normal; font-weight: normal;=
 letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0=
px; text-transform: none; white-space: pre-wrap; widows: auto; word-spaci=
ng: 0px; -webkit-text-stroke-width: 0px;">Garance Alistair Drosehn       =
         =3D     drosih@rpi.edu
</div><div dir=3D"auto" style=3D"color: rgb(0, 0, 0); font-family: sans-s=
erif; font-style: normal; font-variant-caps: normal; font-weight: normal;=
 letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0=
px; text-transform: none; white-space: pre-wrap; widows: auto; word-spaci=
ng: 0px; -webkit-text-stroke-width: 0px;">Lead Developer @rpi            =
       and    gad@FreeBSD.org
</div><div dir=3D"auto" style=3D"color: rgb(0, 0, 0); font-family: sans-s=
erif; font-style: normal; font-variant-caps: normal; font-weight: normal;=
 letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0=
px; text-transform: none; white-space: pre-wrap; widows: auto; word-spaci=
ng: 0px; -webkit-text-stroke-width: 0px;">Rensselaer Polytechnic Institut=
e;             Troy, NY;  USA</div>


</div>
</body>
</html>

--=_MailMate_D6F8850A-4F23-42BA-81BF-1C4940881455_=--