Fedora 41 -- upgrade via DNF

November 20, 2024

Fedora 41 -- SSH problems

A little over 2 weeks ago I upgraded to Fedora 41.

They have done unhappy things with ssh. I work with many embedded systems that have older ssh servers that are for all practical purposes impossible to change.

Some imbecile decided to make the world a better place by dropping support for these old (and admittedly less secure) key exchange schemes.

Excuse me while I go on a short rant. I use ssh routinely. The new scheme works just fine with other servers that I am able to keep up to date. It makes sense for ssh to default to the most secure protocols in these cases. But dropping support for older protocols is foolish, makes my life difficult, and is simply annoying -- not to mention stupid, if perhaps well intentioned.

I used to simply get this error:

ssh focus2
Unable to negotiate with 192.168.0.132 port 22: no matching key exchange method found.
Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

The fix for this is to put these lines into my .ssh/config file:

Host focus2
    KexAlgorithms +diffie-hellman-group1-sha1
    HostKeyAlgorithms=+ssh-rsa
    PubkeyAcceptedAlgorithms=+ssh-rsa

This used to work, but now I am seeing this:

ssh root@focus2
ssh_dispatch_run_fatal: Connection to 192.168.0.132 port 22: error in libcrypto

What can I do? One suggestion is this:

su
update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

Then after the change to LEGACY and a 10 minute wait or so, it works!! At least I can use ssh and access the system.

When I try to copy a file, I get this. You might think it is an issue on the target system, but keep reading.

scp root@focus2:/nand.img .
sh: /usr/lib/openssh/sftp-server: not found

This is an issue with the OpenSSH client. Since OpenSSH 9.0, the client uses SFTP protocol by default. To use the legacy protocol, the -O option must be specified.

And indeed, when I do the following, it works!

scp -O root@focus2:/nand.img .

So, my problems are fixed for the present, but I expect more mischief from these folks who seem to have a "nanny" attitude.

It seems that ssh is going downhill as far as friendliness, kindness, and usability.
It is touchy non-robust software.

Have any comments? Questions? Drop me a line!

Adventures in Computing / tom@mmto.org