I have a couple of legacy SSH clients on my internal network (think 2000's era Macintoshes and the like) that are wholly incompatible with newer ciphers and key algorithms used in modern SSH implementations.
Getting these clients to work required adding diffie-hellman-group1-sha1
to KexAlgorithms
, and arcfour
to Ciphers
.
I understand that both of these are terribly, hopelessly broken from an encryption standpoint. Unfortunately, the host in question also has inbound access from the internet, and I really, really don't want to have these crap ciphers enabled if I can avoid it, but it was the fastest way to get my clients back online.
I've got a few questions about how to tighten this setup down:
-
Does sshd have a way to specify that certain addresses can use certain ciphers?
- Regarding this question from 2011: did sshd learn how to use
KexAlgorithms
andCiphers
inside of aMatch
block in the last 5 years?
- Regarding this question from 2011: did sshd learn how to use
-
Is there some way to put a bastion/jump server in front of the clients requiring weak encryption, and then forward that connection on to the host with stronger encryption?
-
Am I missing some other obvious way around this problem?
Best Answer
Yes. Simple examples are on the Legacy page of OpenSSH. In short:
Yes. You can set the legacy server to accept connections only from the jumpbox server for example using
/etc/hosts.allow
(tcp_wrappers
). For example:The users will then configure
ProxyCommand
to jump over thejumpbox
, such as