undefined | Better HN

0 pointssilverwasthere3y ago0 comments

Maintaining access to a 20 year old ssh server will not be trivial. A modern client would usually fail to agree on encryption protocols in my experience.

0 comments

jolmg3y ago

It's pretty trivial. Some things are disabled by default, but still available on the latest versions of clients. For the OpenSSH client, it will tell you what specifically the client and server failed to agree on, and you can just add the option to enable on the client one of the ciphers, kex algos, or whatever that the server accepts. I've had no trouble with neither the latest version of the OpenSSH client nor Putty to connect to such servers.

thwarted3y ago

Using ancient ciphers and kex algos can end up being just as secure as telnet.

jolmg3y ago

I mean, if they can compile the latest version of sshd to run on SCO OSr5, that's great! If they can't because it's no longer compatible or whatever, are you saying they may as well stay with telnet? Obviously, not using legacy software is best, but it's not like people can just snap their fingers. Software needs to be ported, people need to be trained, etc. Work and time is needed. In the meantime, using sshd seems like an easy upgrade.

On "ancient", the ciphers and kex algos used by the OSr5 sshd above were deprecated like 4 years ago. I'd like to think that among the select group of probably-not-technical people that have access, it's not exactly the same bar of technical ability to inspect the contents of a plaintext connection as that to inspect the contents of an encrypted connection that uses ciphers and kex algos deprecated a few years ago.

nibbleshifter3y ago

> A modern client would usually fail to agree on encryption protocols in my experience.

I run into this issue frequently. Usually its a "client soft disabled, alter config", but sometimes... Just sometimes its "spin up an old VM to use its ssh client".

sitkack3y ago

You SSH to sibling VM running under the same VMM, connect the serial port of the SSHVM to the application VM, clear text only runs over that virtual serial connection traveling through the VMM.

kkielhofner3y ago

Considering the other options you can add the deprecated ciphers and key exchange mechanisms with a few lines for the host in your SSH client config on the newer system.

j / k navigate · click thread line to collapse

0 comments

jolmg3y ago

thwarted3y ago

Using ancient ciphers and kex algos can end up being just as secure as telnet.

jolmg3y ago

nibbleshifter3y ago

> A modern client would usually fail to agree on encryption protocols in my experience.

I run into this issue frequently. Usually its a "client soft disabled, alter config", but sometimes... Just sometimes its "spin up an old VM to use its ssh client".

sitkack3y ago

You SSH to sibling VM running under the same VMM, connect the serial port of the SSHVM to the application VM, clear text only runs over that virtual serial connection traveling through the VMM.

kkielhofner3y ago

Considering the other options you can add the deprecated ciphers and key exchange mechanisms with a few lines for the host in your SSH client config on the newer system.

j / k navigate · click thread line to collapse