2022年10月27日 星期四

[研究]CentOS Stream 9 用 ssh 連線 CentOS 6.10 失敗之解決

[研究]CentOS Stream 9 用 ssh 連線 CentOS 6.10 失敗之解決

2022-10-25

********************************************************************************

10.3.99.32 是 CentOS 6.10

[user1@localhost ~]$ ssh root@10.3.99.32
The authenticity of host '10.3.99.32 (10.3.99.32)' can't be established.
RSA key fingerprint is SHA256:lovqRDFWqrS++sqlWTN4vFqGpGYommbXGZx9ZXKaaSs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.3.99.32' (RSA) to the list of known hosts.
ssh_dispatch_run_fatal: Connection to 10.3.99.32 port 22: error in libcrypto  
[user1@localhost ~]$ 


CentOS 9 的 OpenSSL 是 3.0.1 版;CentOS 6.10 的 OpenSSL 是 1.0

[user1@localhost ~]$ yum list | grep openssl
apr-util-openssl.x86_64                1.6.1-20.el9    
openssl.x86_64                         1:3.0.1-18.el9  
openssl-libs.x86_64                    1:3.0.1-18.el9  
openssl-pkcs11.x86_64                  0.4.11-7.el9    
xmlsec1-openssl.x86_64                 1.2.29-9.el9    
anope-openssl.x86_64                   2.0.11-1.el9    
compat-openssl11.i686                  1:1.1.1k-4.el9  
compat-openssl11.x86_64                1:1.1.1k-4.el9  
ghc-openssl-streams.x86_64             1.2.3.0-4.el9   
ghc-openssl-streams-devel.x86_64       1.2.3.0-4.el9   
ghc-openssl-streams-doc.noarch         1.2.3.0-4.el9   
ghc-openssl-streams-prof.x86_64        1.2.3.0-4.el9   
globus-gsi-openssl-error.x86_64        4.4-1.el9       
globus-gsi-openssl-error-devel.x86_64  4.4-1.el9       
globus-gsi-openssl-error-doc.noarch    4.4-1.el9       
globus-openssl-module.x86_64           5.2-2.el9       
globus-openssl-module-devel.x86_64     5.2-2.el9       
globus-openssl-module-doc.noarch       5.2-2.el9       
lighttpd-mod_openssl.x86_64            1.4.67-1.el9    
openssl.x86_64                         1:3.0.1-41.el9  
openssl-devel.i686                     1:3.0.1-41.el9  
openssl-devel.x86_64                   1:3.0.1-41.el9  
openssl-libs.i686                      1:3.0.1-41.el9  
openssl-libs.x86_64                    1:3.0.1-41.el9  
openssl-perl.x86_64                    1:3.0.1-41.el9  
openssl-pkcs11.i686                    0.4.11-7.el9    
python3-types-pyopenssl.noarch         21.0.1-2.el9    
rsyslog-openssl.x86_64                 8.2102.0-105.el9  
xmlsec1-openssl.i686                   1.2.29-9.el9    
[user1@localhost ~]$ 
 

CentOS 9 沒有 libcrypto

[user1@localhost ~]$ yum list | grep libcrypto [user1@localhost ~]$ dnf list | grep libcrypto [user1@localhost ~]$  

CentOS 9 上 OpenSSH

[root@localhost ~]# dnf list | grep openssh openssh.x86_64 8.7p1-10.el9_0 openssh-clients.x86_64 8.7p1-10.el9_0 openssh-server.x86_64 8.7p1-10.el9_0 openssh-askpass.x86_64 8.7p1-10.el9_0 openssh-keycat.x86_64 8.7p1-10.el9_0 [root@localhost ~]#

CentOS 6.10 的 OpenSSL 是 1.0

[root@aplog ~]# yum list | grep openssl
openssl.x86_64                             1.0.1e-58.el6_10             @updates
openssl-devel.x86_64                       1.0.1e-58.el6_10             @updates
globus-gsi-openssl-error.i686              4.1-1.el6                    epel
globus-gsi-openssl-error.x86_64            4.1-1.el6                    epel
globus-gsi-openssl-error-devel.i686        4.1-1.el6                    epel
globus-gsi-openssl-error-devel.x86_64      4.1-1.el6                    epel
globus-gsi-openssl-error-doc.noarch        4.1-1.el6                    epel
globus-openssl-module.i686                 5.1-1.el6                    epel
globus-openssl-module.x86_64               5.1-1.el6                    epel
globus-openssl-module-devel.i686           5.1-1.el6                    epel
globus-openssl-module-devel.x86_64         5.1-1.el6                    epel
globus-openssl-module-doc.noarch           5.1-1.el6                    epel
krb5-pkinit-openssl.x86_64                 1.10.3-65.el6                base
openssl.i686                               1.0.1e-58.el6_10             updates
openssl-devel.i686                         1.0.1e-58.el6_10             updates
openssl-perl.x86_64                        1.0.1e-58.el6_10             updates
openssl-static.x86_64                      1.0.1e-58.el6_10             updates
openssl098e.i686                           0.9.8e-20.el6.centos.1       base
openssl098e.x86_64                         0.9.8e-20.el6.centos.1       base
xmlsec1-openssl.i686                       1.2.20-4.el6                 base
xmlsec1-openssl.x86_64                     1.2.20-4.el6                 base
xmlsec1-openssl-devel.i686                 1.2.20-4.el6                 base
xmlsec1-openssl-devel.x86_64               1.2.20-4.el6                 base
[root@aplog ~]# 

CentOS 6.10 沒有 libcrypto

[user1@localhost ~]$ yum list | grep libcrypto [user1@localhost ~]$  

CentOS 6.10 上 OpenSSH

[root@aplog ~]# yum list | grep openssh openssh.x86_64 5.3p1-124.el6_10 @updates openssh-askpass.x86_64 5.3p1-124.el6_10 @updates openssh-clients.x86_64 5.3p1-124.el6_10 @updates openssh-server.x86_64 5.3p1-124.el6_10 @updates gsi-openssh.x86_64 5.3p1-20.el6 epel gsi-openssh-clients.x86_64 5.3p1-20.el6 epel gsi-openssh-server.x86_64 5.3p1-20.el6 epel openssh-ldap.x86_64 5.3p1-124.el6_10 updates razorqt-openssh-askpass.x86_64 0.5.2-13.el6 epel [root@aplog ~]#


********************************************************************************

解決

在 CentOS 9 上執行 update-crypto-policies  ( CentOS 6.x 不支援)

[root@localhost ~]# ssh root@10.3.99.32
ssh_dispatch_run_fatal: Connection to 10.3.99.32 port 22: error in libcrypto

[root@localhost ~]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@localhost ~]# systemctl restart sshd
[root@localhost ~]# ssh root@10.3.99.32
root@10.3.99.32's password:
Permission denied, please try again.
root@10.3.99.32's password:
Last login: Tue Oct 25 10:15:40 2022 from 10.3.121.11
[root@host32 ~]#

(完)

相關

https://access.redhat.com/solutions/6816771

https://github.com/openssl/openssl/issues/18420

沒有留言:

張貼留言