no kex alg

 linux  7 Responses »
Sep 142015
 

If you run ancient operating system with an old version of SSH client then you are going to hit this “No Kex Alg” problem soon.

have u tried

For example Solaris 9

$ ssh -Vxx
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f

So what a hell is it? What’s causing it? Well, modern operating system like Debian Jessie are packaged with OpenSSH 6.7 or newer  – and Openssh 6.7 disables a number of ciphers, as per changelog http://www.openssh.com/txt/release-6.7  As Russel rightly pointed out in comments section below ‘”kex” is “key exchange”.x

So it’s time to upgrade your client! However, if for some bizarre reasons those pesky sysadmins are refusing to upgrade client software then that leaves you with two options:

  • if you have physical access to client simply spill coffee or some other beverage on it (alright, just joking)
  • or edit /etc/ssh/sshd_config on the server, append the following line and restart sshd daemon
KexAlgorithms diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Now your old client should be able to connect to server plus you have successfully created security vulnerability on your machine. How exciting!

If you’re still dying to know what mechanisms your system supports run:

ssh -Q cipher
ssh -Q mac
ssh -Q kex

I know more about ssh ciphers, macs, kex now that I ever wanted to know.

Systemd Quick Intro

 linux, server  No Responses »
Jul 022015
 

Time has come, I need to start switching my mentality from SysV to modern init systems. Turns out, that systemd thingy is not so bad! Actually, it’s pretty cool.

There is an interesting video from RedHat Summit 2015 (at the bottom of this page) which I wholeheartedly recommend, especially it doesn’t solely apply to Red Hat – Debian Jessie uses systemd too.

My notes for impatient:

 

  • Slice (each gets CPUShares=1024)
    user.slice
    system.slice # services
    machine.slice #vms, containers, etc
  • Scope
  • Service

 

systemctl list-unit-files --no-pager|grep lvm
systemctl -t service list-unit-files
systemctl -t service
systemctl -t socket
systemctl -t socket list-unit-files
systemctl get-default
systemctl set-default multi-user  # runlevel 3, no GUI
systemctl set-default graphical.target # aka runlevel 5, graphical.target
systemctl list-timers # can be used to periodically run fstrim for example?
systemd-delta # what changed on system comparing to originally shipped by distributor
systemctl rescue
systemctl emergency
systemd-cgtop # this is cool!
systemd-cgls
journalctl # logging. Trusted and untrusted fields in logs, untrusted are generated by logging app
journalctl -xn
journalctl -k -b -1
journalctl /dev/sda
journalctl /usr/bin/python-thinlinc
journalctl _SYSTEMD_UNIT=avahi-daemon.service

Checkout systemd based containers! Didn’t expect that

man systemd-nspawn
mkdir /var/lib/container/debian-tree
debootstrap --arch=amd64 unstable /var/lib/container/debian-tree/
systemd-nspawn -D /var/lib/container/debian-tree/

or assuming you have a bridge

systemd-nspawn --network-bridge=br-eth0 -D /var/lib/container/ka-lite

This installs a minimal Debian unstable distribution into the directory /var/lib/container/debian-tree/ and then spawns a shell in a namespace container in it. Wow. I know you can use like Linux Containers but this systemd-nspawn is already there waiting to be used.

Have fun.

 

 Older Entries  Newer Entries