Eri*_*c W 5 linux ssh sftp openssl rhel9
我正在尝试从一台新的 RHEL9 服务器连接到一台较旧的 Centos 6 服务器,以将 SFTP 文件从旧服务器连接到新服务器以进行升级,但是当从 9 连接到 6 时,出现以下错误:
[ewessel@ftp ~]$ ssh -v ewessel@10.30.1.250
OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 10.30.1.250 [10.30.1.250] port 22.
debug1: Connection established.
debug1: identity file /home/ewessel/.ssh/id_rsa type -1
debug1: identity file /home/ewessel/.ssh/id_rsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_dsa type -1
debug1: identity file /home/ewessel/.ssh/id_dsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ed25519 type -1
debug1: identity file /home/ewessel/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ewessel/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ewessel/.ssh/id_xmss type -1
debug1: identity file /home/ewessel/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to 10.30.1.250:22 as 'ewessel'
debug1: load_hostkeys: fopen /home/ewessel/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_GROUP received
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: SSH2_MSG_KEX_DH_GEX_REPLY received
debug1: Server host key: ssh-rsa SHA256:nMDl3BNpsOOJ6gyMudi6szQS3Pchxe2Ttmj1dH9fLB8
debug1: load_hostkeys: fopen /home/ewessel/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.30.1.250' is known and matches the RSA host key.
debug1: Found key in /home/ewessel/.ssh/known_hosts:1
ssh_dispatch_run_fatal: Connection to 10.30.1.250 port 22: error in libcrypto
如果我尝试以其他方式连接,则会收到以下错误:
[ewessel@ftp ~]$ ssh -v ewessel@10.30.1.225
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.30.1.225 [10.30.1.225] port 22.
debug1: Connection established.
debug1: identity file /home/ewessel/.ssh/identity type -1
debug1: identity file /home/ewessel/.ssh/identity-cert type -1
debug1: identity file /home/ewessel/.ssh/id_rsa type -1
debug1: identity file /home/ewessel/.ssh/id_rsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_dsa type -1
debug1: identity file /home/ewessel/.ssh/id_dsa-cert type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa type -1
debug1: identity file /home/ewessel/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg
你知道如何让这两台机器相互交谈吗?我想将用户文件从旧机器复制到新机器,以便我可以停用旧 Centos 6 机器。
RHEL 9 默认使用更强大的加密密码和算法,破坏了与旧系统的兼容性。
\nRHEL 9 系统上 SSH 守护程序的选项有:
\n将系统范围的加密策略切换为与早期版本兼容的模式,如RHEL 9 强化指南中所述。作为root(或与sudo)运行:
# update-crypto-policies --set LEGACY\nSetting system policy to LEGACY\n并重新启动。
\n注意:这会更改所有守护进程和系统设置,如果您只需要调整 ssh 和 sshd 的设置,则有点过大了。
\n从系统范围的加密策略中排除(仅)sshd。/etc/sysconfig/sshd您可以通过编辑并取消注释该行来选择退出# CRYPTO_POLICY=(如有必要,您可以调整/etc/ssh/sshd_config并添加旧加密设置)并重新启动 ssh 守护程序。
对于 RHEL 9 系统上的 ssh 命令行客户端:建议您通过\xcb\x9c/.ssh/config添加主机条目来编辑和覆盖现代/安全系统范围的 ssh 客户端默认值,该条目添加了对该特定主机的合适旧加密选项的支持:
# \xcb\x9c/.ssh/config\n\nHost rhel6.example.com\n KexAlgorithms +diffie-hellman-group14-sha1\n MACs +hmac-sha1\n HostKeyAlgorithms +ssh-rsa\n PubkeyAcceptedKeyTypes +ssh-rsa\n PubkeyAcceptedAlgorithms +ssh-rsa\n