How to SSH into Legacy RHEL Servers Without Downgrading Crypto Policies

If you’re running a modern Linux client, such as Fedora 41, and need to SSH into older systems like RHEL6 without compromising security, you may encounter issues due to outdated cryptographic protocols. By default, Fedora uses newer encryption standards, which older servers don’t support, resulting in connection errors. Here, we’ll cover methods to establish a secure SSH connection without downgrading your crypto policies to “LEGACY.”

Issue Summary

The connection issue arises because older servers like RHEL6 often require SHA1-based algorithms that modern systems, which adhere to stricter crypto policies, no longer support. This can lead to errors like:

ssh_dispatch_run_fatal: Connection to [server IP] port 22: error in libcrypto

One workaround is to downgrade the crypto policy to “LEGACY” on your client machine:

sudo update-crypto-policies --set LEGACY

However, using “LEGACY” is generally not recommended due to security implications, especially when it’s only needed for specific hosts.

Solution 1: Custom SSH Configuration for Legacy Algorithms

To specify compatible algorithms without adjusting global policies, add the following configuration to your `~/.ssh/config` file:

Host [your-server]
  HostName [your-server’s-IP-or-domain]
  User [your-username]
  KexAlgorithms +diffie-hellman-group14-sha1
  MACs +hmac-sha1
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

This approach sets legacy algorithms only for a specific host, leaving the rest of your system secure.

Solution 2: Enabling SHA1 at the OpenSSL Level

When older servers demand SHA1 signatures, you can enable SHA1 temporarily by configuring OpenSSL to allow these signatures. Create a custom OpenSSL configuration file:

.include /etc/ssl/openssl.cnf
[openssl_init]
alg_section = evp_properties
[evp_properties]
rh-allow-sha1-signatures = yes

Save this file (e.g., as `~/.ssh/openssl-sha1.cnf`) and point your SSH session to it:

OPENSSL_CONF=~/.ssh/openssl-sha1.cnf ssh [your-server]

This solution allows SHA1 only for that specific SSH session, ensuring your global OpenSSL configuration remains secure.

Summary

For those connecting from newer Linux distributions to legacy servers, these methods offer a secure way to maintain compatibility without downgrading system-wide policies. By customizing SSH configurations and using OpenSSL selectively, you ensure compatibility with legacy systems while adhering to modern security standards.

Resource

1. https://libguestfs.org/virt-v2v-input-xen.1.html#ssh-authentication

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *