Discover Centmin Mod today
Register Now

Sysadmin cURL on centOS6 wont connect to Centos7

Discussion in 'System Administration' started by GASTAN, Aug 14, 2019.

  1. GASTAN

    GASTAN Member

    58
    9
    8
    Jun 28, 2017
    Ratings:
    +11
    Local Time:
    6:52 PM
    I wanted to upload backup form one server to another and cannot make curl to work.
    finaly found on destination server this (in messages):
    no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

    so I guess CentOS 6 uses older Ciphers which CentOS7 (sshd) does not like.
    But after couple hours of googling I cannot figure out how to fix this.
    I am so desperate I decided to write here, even though it's not really CentminMod related

    any ideas (alternatively other methods of uploading file) are appreciated
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,088
    9,194
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,104
    Local Time:
    2:52 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    are centos 6 and/or centos 7 servers Centmin Mod based ?
     
  3. GASTAN

    GASTAN Member

    58
    9
    8
    Jun 28, 2017
    Ratings:
    +11
    Local Time:
    6:52 PM
    yup, updated yesterday
     
  4. eva2000

    eva2000 Administrator Staff Member

    41,088
    9,194
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,104
    Local Time:
    2:52 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    what does the output for these 2 command return for both centos 6 and centos 7 servers
    Code (Text):
    egrep '^KexAlgorithms|^Ciphers|^MACs' /etc/ssh/sshd_config
    

    has centos 6 ever in past worked with centos 7 server for this ?
     
  5. GASTAN

    GASTAN Member

    58
    9
    8
    Jun 28, 2017
    Ratings:
    +11
    Local Time:
    6:52 PM
    6:
    KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1


    7:
    KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
    Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
     
  6. eva2000

    eva2000 Administrator Staff Member

    41,088
    9,194
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,104
    Local Time:
    2:52 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    are you using curl to connect to sshd ? or ssh to sshd connection ?

    you may need to use a tool other than curl on centos 6

    https://bugzilla.redhat.com/show_bug.cgi?id=1688081

    Code (Text):
     If you disable sha-1 KEX/MACs in openssh then sftp is no longer
      able to connect on both RHEL 6 and 7.
    
      curl only supports the following:
    
        KEX algorithms: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
        MACs ctos: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected] [preauth]
    
       openssh after removing sha-1:
    
         KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 [preauth]
         MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512 [preauth]
    
    
    Version-Release number of selected component (if applicable):
    
      curl-7.29.0-51.el7.x86_64
      openssh-7.4p1-16.el7.x86_64
    


    https://www.openssh.com/legacy.html

    the 3 in centos 6 for diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    aren't specifically setup as supported in centos 7's KexAlgorithms though I don't recall if centos 7 native disabled them anyway so you can try adding to centos 7 version the missing ones though as mentioned above it's less secure/weaker
    Code (Text):
    KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

    then restart sshd service

    FYI, for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
  7. GASTAN

    GASTAN Member

    58
    9
    8
    Jun 28, 2017
    Ratings:
    +11
    Local Time:
    6:52 PM
    unfortunately it did not work.
    I added your line to Cent7 restarted sshd, no joy
    now /var/log/secure says:

    Code:
     Unable to negotiate with [ip] port 54988: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd16
    curl worked before (destination server was centos6)

    any idea what should I use instead?
     
  8. GASTAN

    GASTAN Member

    58
    9
    8
    Jun 28, 2017
    Ratings:
    +11
    Local Time:
    6:52 PM
    I ended up with scp.
    Do you know of any free cloud storages that I could upload from CentOS6 to?
    I have some 50GB mega.nz but I dont think I can scp there :(