[РЕШЕНО] Openssh. Проблема с внешним подключением к серверу
# 5 лет, 8 месяцев назад (отредактировано 5 лет, 8 месяцев назад)
Поднял Openssh согласно wiki.
Проблема в том, что с самого арча к серверу подключаюсь:
При попытке подключиться из офисной сети через Putty с Windows машины даже не появляется приглашение ввода имени пользователя/пароля.
Пинги до арча с компа ходят.
iptables не запущен, правил нет.
В какую сторону смотреть?
Конфигурация sshd:
С windows-машины попробуйте из командной оболочки зайти с помощью telnet на 22 порт. Если все хорошо, должно выглядеть как-то так:
$ telnet 192.168.1.1 22
Trying 192.168.1.1.
Connected to 192.168.1.1.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_6.9
После этого можно будет дальше разбираться
kurych
В настройках putty указываете явно, что надо использовать имя пользователя bsscp (AllowUsers bsscp)?
С windows-машины попробуйте из командной оболочки зайти с помощью telnet на 22 порт. Если все хорошо, должно выглядеть как-то так:
$ telnet 192.168.1.1 22
Trying 192.168.1.1.
Connected to 192.168.1.1.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_6.9
После этого можно будет дальше разбираться
Если получится — с настройками сессии перемудрили. Если нет, то надо смотреть логи. На стороне сервера
на стороне putty включить логгирование в меню «Session-Logging»
Решил проблему.
Поставил Openssh на Win машину. При попытке подключения выдало «no kex alg». Goggle выдал решение в виде добавить в sshd.conf строчку:
© 2006-2021, Русскоязычное сообщество Arch Linux.
Название и логотип Arch Linux ™ являются признанными торговыми марками.
Linux ® — зарегистрированная торговая марка Linus Torvalds и LMI.
[РЕШЕНО] Openssh. Проблема с внешним подключением к серверу
# 5 лет, 8 месяцев назад (отредактировано 5 лет, 8 месяцев назад)
Поднял Openssh согласно wiki.
Проблема в том, что с самого арча к серверу подключаюсь:
При попытке подключиться из офисной сети через Putty с Windows машины даже не появляется приглашение ввода имени пользователя/пароля.
Пинги до арча с компа ходят.
iptables не запущен, правил нет.
В какую сторону смотреть?
Конфигурация sshd:
С windows-машины попробуйте из командной оболочки зайти с помощью telnet на 22 порт. Если все хорошо, должно выглядеть как-то так:
$ telnet 192.168.1.1 22
Trying 192.168.1.1.
Connected to 192.168.1.1.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_6.9
После этого можно будет дальше разбираться
kurych
В настройках putty указываете явно, что надо использовать имя пользователя bsscp (AllowUsers bsscp)?
С windows-машины попробуйте из командной оболочки зайти с помощью telnet на 22 порт. Если все хорошо, должно выглядеть как-то так:
$ telnet 192.168.1.1 22
Trying 192.168.1.1.
Connected to 192.168.1.1.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_6.9
После этого можно будет дальше разбираться
Если получится — с настройками сессии перемудрили. Если нет, то надо смотреть логи. На стороне сервера
на стороне putty включить логгирование в меню «Session-Logging»
Решил проблему.
Поставил Openssh на Win машину. При попытке подключения выдало «no kex alg». Goggle выдал решение в виде добавить в sshd.conf строчку:
© 2006-2021, Русскоязычное сообщество Arch Linux.
Название и логотип Arch Linux ™ являются признанными торговыми марками.
Linux ® — зарегистрированная торговая марка Linus Torvalds и LMI.
no kex alg
If you run ancient operating system with an old version of SSH client then you are going to hit this “No Kex Alg” problem soon.
For example Solaris 9
So what a hell is it? What’s causing it? Well, modern operating system like Debian Jessie are packaged with OpenSSH 6.7 or newer – and Openssh 6.7 disables a number of ciphers, as per changelog http://www.openssh.com/txt/release-6.7 As Russel rightly pointed out in comments section below ‘”kex” is “key exchange”.x
So it’s time to upgrade your client! However, if for some bizarre reasons those pesky sysadmins are refusing to upgrade client software then that leaves you with two options:
- if you have physical access to client simply spill coffee or some other beverage on it (alright, just joking)
- or edit /etc/ssh/sshd_config on the server, append the following line and restart sshd daemon
Now your old client should be able to connect to server plus you have successfully created security vulnerability on your machine. How exciting!
If you’re still dying to know what mechanisms your system supports run:
I know more about ssh ciphers, macs, kex now that I ever wanted to know.
6 Responses to “no kex alg”
Ha ha… yet I laugh with real joy.. since I have *finally* jailbroken my iPad and have just logged into it from one of my Linux boxes …! I got the Cydia stuff running on the iPad, and first install was OpenSSH package, but coming from an old Windows-XP box, with “ssh”, all I could get was this goofy “no kex alg” message.. – hmmm now to decode the linux-crypto-msg…? “no” is easy, probably means “no, you dumbguy!”… “kex” sounded like an ancient breakfast cereal, but “alg” – now that’s gotta be short for “algorithm” (finance hackers use “algo”, so pretty close, eh? .. ) but “kex” had me stumped. Now what could that be??
Of course, my SSH client on the winbox is ancient (and the iPad is Gen-0, from the days when Steve Jobs was still on earth), so probably it was an unsupported algo which my ancient winbox ssh used, but now is compromised and easy to hack? Am I getting a bit warm here?
Anyway, your webpage was really helpful. Thanx for taking the time to publish it.
I suppose a modern version of PuTTY might work? What I find really impressive, is that I can login to my old iPad version 1, and from a terminal session window on a CentOS Linux box, enter “ls -l –col”, and get a directory list with colour codings…
… Ok, I just tried it.
My Winbox “ssh” returns “no kex alg”, but old PuTTY with Blowfish and triple DES seems to work.
THere. I can login to the *unix O/S running on my iPad, from my Windows-XP session, using an old version of PuTTY.
Just one dumb question: What the heck does “Kex” mean?
(I suppose I will have to break down, and actually look at the OpenSSH release notes, eh? )
– Rus
Ssh no kex alg windows
no kex alg
If you run ancient operating system with an old version of SSH client then you are going to hit this “No Kex Alg” problem soon.
For example Solaris 9
So what a hell is it? What’s causing it? Well, modern operating system like Debian Jessie are packaged with OpenSSH 6.7 or newer – and Openssh 6.7 disables a number of ciphers, as per changelog http://www.openssh.com/txt/release-6.7 As Russel rightly pointed out in comments section below ‘”kex” is “key exchange”.x
So it’s time to upgrade your client! However, if for some bizarre reasons those pesky sysadmins are refusing to upgrade client software then that leaves you with two options:
- if you have physical access to client simply spill coffee or some other beverage on it (alright, just joking)
- or edit /etc/ssh/sshd_config on the server, append the following line and restart sshd daemon
Now your old client should be able to connect to server plus you have successfully created security vulnerability on your machine. How exciting!
If you’re still dying to know what mechanisms your system supports run:
I know more about ssh ciphers, macs, kex now that I ever wanted to know.
5 Responses to “no kex alg”
Ha ha… yet I laugh with real joy.. since I have *finally* jailbroken my iPad and have just logged into it from one of my Linux boxes …! I got the Cydia stuff running on the iPad, and first install was OpenSSH package, but coming from an old Windows-XP box, with “ssh”, all I could get was this goofy “no kex alg” message.. – hmmm now to decode the linux-crypto-msg…? “no” is easy, probably means “no, you dumbguy!”… “kex” sounded like an ancient breakfast cereal, but “alg” – now that’s gotta be short for “algorithm” (finance hackers use “algo”, so pretty close, eh? .. ) but “kex” had me stumped. Now what could that be??
Of course, my SSH client on the winbox is ancient (and the iPad is Gen-0, from the days when Steve Jobs was still on earth), so probably it was an unsupported algo which my ancient winbox ssh used, but now is compromised and easy to hack? Am I getting a bit warm here?
Anyway, your webpage was really helpful. Thanx for taking the time to publish it.
I suppose a modern version of PuTTY might work? What I find really impressive, is that I can login to my old iPad version 1, and from a terminal session window on a CentOS Linux box, enter “ls -l –col”, and get a directory list with colour codings…
… Ok, I just tried it.
My Winbox “ssh” returns “no kex alg”, but old PuTTY with Blowfish and triple DES seems to work.
THere. I can login to the *unix O/S running on my iPad, from my Windows-XP session, using an old version of PuTTY.
Just one dumb question: What the heck does “Kex” mean?
(I suppose I will have to break down, and actually look at the OpenSSH release notes, eh? )
– Rus
Ssh no kex alg windows
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto | Site FAQ | Sitemap | Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 | Introduction to Linux – A Hands on Guide |
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter. For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author’s experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
A Kex Algorithm is a Key Exchange algorithm. I won’t bore you with the details, but they are crucial to sshd negotiations. Apparently this problem is so obscure it gets empty results pages from google.
I have 2 trusty old boxes with Mandrake10 installed in about 2005. They’re beginning to show their age. I just acquired a newish box that I’m installing freshest and newest of everything.
Old boxes run sshd -V: OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090703f
New box runs sshd -V: OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
A bit of a difference, huh? New box shells into old boxes fine. Not so the other way around.
Here’s some lovely debug output of the situation:
After much learning about ssh in general, I discover the 2 versions of sshd cannot agree on which cipher to use. I think about it and come to this conclusion: why teach the old dog new tricks, when I can teach the new dog old tricks.
I find a tidbit on some site that says you can add a Ciphers line in /etc/sshd/sshd_config like this:
This is where I started getting empty google results. Finally, on this site, I found this tidbit:
Now they agree on ciphers and kex algs. Perfect.
It’s not a problem 
it’s supposed to be that way.
You’re using 6.8 in the new machine. In 6.7 those old algorithms were removed because they are unsafe: http://www.openssh.com/txt/release-6.7
Adding them back in rather defeats the purpose of using SSH. Then there is the old unsupported OS there. So you might find it better to upgrade your systems to a maintained version of your distro with a recent implementation of SSH.
It’s not a problem it’s supposed to be that way.
You’re using 6.8 in the new machine. In 6.7 those old algorithms were removed because they are unsafe: http://www.openssh.com/txt/release-6.7
Adding them back in rather defeats the purpose of using SSH. Then there is the old unsupported OS there. So you might find it better to upgrade your systems to a maintained version of your distro with a recent implementation of SSH.
Indeed. I read some of that stuff about keeping ahead of the NSA. Hey, now they’ve infiltrated the kernel with SELinux. The great Kernel War is right around the corner 
. I can just see geeks with pocket protectors shivving each other in the dimly lit corridors of the CS Faculty building the night before a new release. 
I kinda figured that there was a reason for dropping the older algorithms, thanks for the link. I wanted to put this here for the benefit of others who may encounter the same problem issue, however unlikely.
In my defence, all I do is shell into the various PCs on my LAN, so I could be using telnet, but now I know a lot more about a tool I take for granted. As a matter of fact, with all the trouble getting ssh working full duplex through a PC generation gap, I seriously thought about it. My router keeps all ports Rep: 
[РЕШЕНО] Openssh. Проблема с внешним подключением к серверу
Поднял Openssh согласно wiki.
Проблема в том, что с самого арча к серверу подключаюсь:
При попытке подключиться из офисной сети через Putty с Windows машины даже не появляется приглашение ввода имени пользователя/пароля.
Пинги до арча с компа ходят.
iptables не запущен, правил нет.
В какую сторону смотреть?
Конфигурация sshd:
С windows-машины попробуйте из командной оболочки зайти с помощью telnet на 22 порт. Если все хорошо, должно выглядеть как-то так:
$ telnet 192.168.1.1 22
Trying 192.168.1.1.
Connected to 192.168.1.1.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_6.9
После этого можно будет дальше разбираться
kurych
В настройках putty указываете явно, что надо использовать имя пользователя bsscp (AllowUsers bsscp)?
С windows-машины попробуйте из командной оболочки зайти с помощью telnet на 22 порт. Если все хорошо, должно выглядеть как-то так:
$ telnet 192.168.1.1 22
Trying 192.168.1.1.
Connected to 192.168.1.1.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_6.9
После этого можно будет дальше разбираться
Если получится – с настройками сессии перемудрили. Если нет, то надо смотреть логи. На стороне сервера
на стороне putty включить логгирование в меню “Session-Logging”
Решил проблему.
Поставил Openssh на Win машину. При попытке подключения выдало “no kex alg”. Goggle выдал решение в виде добавить в sshd.conf строчку:
© 2006-2020, Русскоязычное сообщество Arch Linux.
Название и логотип Arch Linux ™ являются признанными торговыми марками.
Linux ® — зарегистрированная торговая марка Linus Torvalds и LMI.
