I am in the process of taking the Practical Junior Penetration Tester (PJPT) course from TCM Security and immediately started experiencing problems as I was following the course material. One such issue actually prevented me from utilizing SSH to its full capacity.
As of Kali Linux 2022.1, it’s possible to configure your local SSH service in “wide-compatibility mode” in order for it to be able to connect to as many SSH servers as possible. You’ll almost certainly need to enable this option if you plan on doing any testing or scanning of older or vulnerable SSH servers.
Here are a couple examples of errors that I was experiencing in THC-Hydra that enabling wide-compatibility mode was able to resolve.
[ERROR] could not connect to ssh://172.16.0.25:22 - kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1], client [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256]
[ERROR] could not connect to ssh://172.16.0.25:22 - ssh_set_client_kex: Out of memory
Enabling Wide-Compatibility Mode in Kali Linux
- Open a terminal, and execute
kali-tweaks
to launch the Kali Tweaks GUI. - Select
Hardening
from the Main Menu. - Enable the
SSH client
option, andApply
When this option is enabled a new SSH configuration is created at /etc/ssh/ssh_config.d/kali-wide-compat.conf
. The contents of my kali-wide-compat.conf
file look like this as of 2024-09-01
.
# The configuration below enables legacy ciphers and algorithms,
# to allow interacting with old servers that still use those.
#
# If the setting(s) in this file are not desirable, do NOT
# modify this file. Instead, start 'kali-tweaks' in a
# terminal and change the setting from there.
Host *
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-dss,ssh-dss-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com
MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-md5-96,hmac-md5-96-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-96,hmac-sha1-96-etm@openssh.com
PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-dss,ssh-dss-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com
Once this option is enabled you’ll need to restart the Linux SSH service using the following command.
sudo service ssh restart
or
sudo systemctl restart ssh
After SSH has finished restarting you should be able to connect to “outdated” SSH ciphers without any issues.
Happy penetration testing!