How to enable legacy ciphers in modern SSH client

Question

Got a shiny new OL9 and I need to connect to some legacy servers, as in CentOS 5.

The OL9 SSH client does not support the legacy ciphers that CentOS 5 supports:

[opc@vm1 ~]$ ssh legacyServer
Unable to negotiate with 10.0.0.138 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

After looking at this page: OpenSSH Legacy Options

Tried this way:

[opc@vm1 ~]$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 legacyServer
ssh_dispatch_run_fatal: Connection to 10.0.0.138 port 22: error in libcrypto

My hope is that I'm missing something else in /etc/crypto-policies/back-ends to enable legacy ciphers.

Thanks!

score 0 · Answer 1 · answered Sep 11 '22 at 23:15

I found my own answer thanks to this: How can I use a legacy ssh-rsa key on CentOS 9 Stream? And this: ssh failed on almaLinux 9 with openssl 3.0.1 (error in libcrypto) #18420

The solution for me is to run this, as root: update-crypto-policies --set LEGACY

Which is a Python tool that changes /etc/crypto-policies, mainly by changing the symlinks from /etc/crypto-policies/back-ends/ to the different profiles in /usr/share/crypto-policies/back-ends.

How to enable legacy ciphers in modern SSH client

1 Answers1