What can't I connect to Rocky Linux 9.2 via ssh(error in libcrypto)?

Owned by Netsarang Support
Apr 11, 2024
1 min read

PROBLEM DESCRIPTION or QUESTION

I am unable to connect to Rocky Linux 9.2 (Blue Onyx) via ssh because of crypto-policy problems. When I set sudo update-crypto-policies --set LEGACY on the remote host, I can connect, but this isn’t a viable solution.

Xshell logs:
Connecting to ......
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
[19:06:06] Version exchange initiated...
[19:06:06] server: SSH-2.0-OpenSSH_8.7
[19:06:06] client: SSH-2.0-nsssh2_7.0.0030 NetSarang Computer, Inc.
[19:06:06] SSH2 is selected.
[19:06:06] SSH_MSG_IGNORE(2)
[19:06:06] Outgoing packet: 20 (0x14: SSH2_MSG_KEXINIT)
[19:06:06] Incoming packet: 20 (0x14: SSH2_MSG_KEXINIT)
[19:06:06] Algorithm negotiation initiated... (Dialog mode)
[19:06:06] key exchange: curve25519-sha256@libssh.org
[19:06:06] host key: ssh-rsa
[19:06:06] outgoing encryption: chacha20-poly1305@openssh.com
[19:06:06] incoming encryption: chacha20-poly1305@openssh.com
[19:06:06] outgoing mac: hmac-sha2-256-etm@openssh.com
[19:06:06] incoming mac: hmac-sha2-256-etm@openssh.com
[19:06:06] outgoing compression: none
[19:06:06] incoming compression: none
[19:06:06] Outgoing packet: 30 (0x1e: SSH2_MSG_KEXDH_INIT)
Connection closing...Socket close.

Connection closed by foreign host.

Rocky Linux logs:
fatal: mm_answer_sign: sign: error in libcrypto

How can I set up Xshell crypto settings to allow connection without configuring legacy crypto policies on the server side?

RESOLUTION

The root cause of this issue comes from OpenSSH's policy of deprecating the SHA1 based ssh-rsa algorithm in the latest servers. For more information, see here: https://www.openssh.com/txt/release-8.2

However, Xshell requires this algorithm for connecting to various SSH servers, new and old.

You have two choices to make this work while maintaining the server's crypto policies.

  1. Client side solution:
    In the Local Shell of Xshell, use the following command:

    set DisableHostKeySshRsa = 1


    The latest Openssh clients, including the Windows client, have this value set as the default. Xshell will also be adopting this as the default value in Version 8.

  2. Server side solution:
    In the sshd_config file, disable the rsa host key type for the server's host key.

    #HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key