25 September 2023

Impact of new openssh 9.3p1 on Solaris 11.4.60

When connecting to an old server you may see

-bash-5.2$ ssh g0083
Unable to negotiate with 192.168.100.83 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

or if you try to connect from an old system to Solaris 11.4.60 or newer

-bash-4.4$ ssh g0049
no hostkey alg

This is because the new openssh version on Solaris 11.4.60 has sha-1 hash disabled by default.
It is recommended to update your old systems to newer versions.

On Solaris 11.3 you need to:
pkg install openssh
pkg set-mediator -I openssh ssh



If this is not possible as a workaround you can enable sha-1 on the new Solaris server
for the target systems in /etc/ssh/ssh_config and/or sshd_config

Host g0083
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa



2 comments:

  1. What to do for old Solaris 10 U11 ?

    ReplyDelete
    Replies
    1. For Solaris 10 you need to use the workaround:

      .. as a workaround you can enable sha-1 on the new Solaris server
      for the target systems in /etc/ssh/ssh_config and/or sshd_config

      Host g0083
      HostKeyAlgorithms +ssh-rsa
      PubkeyAcceptedAlgorithms +ssh-rsa

      Delete