ubuntu jammy / ssh / rsa keys

ubuntu jammy / ssh / rsa keys

  • Written by
    Walter Doekes
  • Published on

With the new Ubuntu/Jammy we also get tighter security settings. Here are some aliases that will let you connect to older ssh servers.

For access to old Cisco routers, we already had the first two options in this alias; we now add two more:

# Alias on Ubuntu/Jammy with ssh 8.9p1-3+ to access old routers/switches:
alias ssholdhw="ssh \
    -oKexAlgorithms=+diffie-hellman-group1-sha1 \
    -oCiphers=+aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc \
    -oHostkeyAlgorithms=+ssh-rsa \
    -oPubkeyAcceptedKeyTypes=+ssh-rsa"

That fixes so we can connect to old Cisco and old HP equipment.

When connecting to slightly less old hardware — Cumulus Linux 3.7 — we notice we'll also need some tweaks:

$ ssh 10.1.2.3
walter@10.1.2.3: Permission denied (publickey).

What? Is my RSA key revoked?

$ ssh 10.1.2.3 -v
...
debug1: Offering public key: /home/walter/.ssh/id_ed25519 ED25519 SHA256:3A..
debug1: Authentications that can continue: publickey
debug1: Offering public key: cardno:00xx RSA SHA256:xC..
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: /home/walter/.ssh/id_rsa RSA SHA256:ph..
debug1: send_pubkey_test: no mutual signature algorithm
...
walter@10.1.2.3: Permission denied (publickey).

Okay, not revoked, but no mutual signature algorithm. That is fixable:

# Alias on Ubuntu/Jammy with ssh 8.9p1-3+ to access OpenSSH 6.7:
alias sshold="ssh -oPubkeyAcceptedKeyTypes=+ssh-rsa"
$ sshold 10.1.2.3
Welcome to Cumulus (R) Linux (R)

Better.


Back to overview Newer post: flipper zero multi-tool / developing Older post: thunderbird / opening links / ubuntu