Hello All,

As all of you, I too ran a BBS in the 90s, some of you earlier, and have very good memories of that time.

Nowadays, with all the advances in information security, why are we still using a plaintext protocol like telnet to access a BBS?
Browsing the synchronet BBS list, I find only a handfull of BBSs that offer SSH access.

As far as I can tell, correct me if I'm wrong, Synchronet maybe using outdated/obsolete cryptography in it's SSH implementation.
I tried using a standard ssh client (openssh) and was unable to connect to any Synchronet BBS through SSH. The problem was always the same: Handshake failed. From what I could see, today's Linux Distributions have blacklisted some types of cryptos due to the fact that they are no longer secure.

I'm running Debian Linux and I know that I can use a better client, such as SyncTerm, but the fact that BBSs advertise their access through an insecure protocol like telnet is not safe, shouldn't we switch to a secure form of communication?

Looking forward to talking about this with you.

Best regards,
Pedro Silva

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.49
þ Synchronet þ Vertrauen þ Home of Synchronet þ teln

Re: Telnet vs SSH
By: Pedro Silva to All on Sat Sep 24 2016 10:18 pm

As all of you, I too ran a BBS in the 90s, some of you earlier, and have very good memories of that time.

Me too! I guess I still run a BBS today because the BBS back in the day had such a large and good impact on my life.

Nowadays, with all the advances in information security, why are we still using a plaintext protocol like telnet to access a BBS?
Browsing the synchronet BBS list, I find only a handfull of BBSs that offer SSH access.

I guess we transitioned from dial-up to telnet and things have more or less stayed that way. I should advertise RLogin and SSH as well as telnet.

As far as I can tell, correct me if I'm wrong, Synchronet maybe using outdated/obsolete cryptography in it's SSH implementation.

Personaly I have never been all that worried about such things as security when I am telnetting around. All I ever do is download files, maybe play a game or two and possibly read or write a few messages.

It's true that someone could sniff my telnet session and get my password and masquerade around as me. So far that hasn't happened so maybe that is why I am lax about it. Maybe I should be a little more proactive about that.

I'm running Debian Linux and I know that I can use a better client, such as SyncTerm, but the fact that BBSs advertise their access through an insecure protocol like telnet is not safe, shouldn't we switch to a secure form of communication?

I almost always use syncterm for times when I want to login with ssh simply because I have zmodem and friends at my disposal. If it was possible to login with ssh proper, how would we transfer files?

... Remember when safe sex meant not getting caught?

---
þ Synchronet þ The Rusty MailBox - Penticton, BC Canada

Al wrote to Pedro Silva <=-

@TZ: c1e0
Re: Telnet vs SSH
By: Pedro Silva to All on
Sat Sep 24 2016 10:18 pm

I guess we transitioned from dial-up to telnet and things have more or less stayed that way. I should advertise RLogin and SSH as well as
telnet.

I almost always use syncterm for times when I want to login with ssh simply because I have zmodem and friends at my disposal. If it was possible to login with ssh proper, how would we transfer files?

Al, thank you for your feedback.

Yes, you're right that standard ssh clients usually don't support Y/X/Zmodem protocols for file transfers, that's why we have Syncterm and others.

What I really meant is to only advertise a secure protocol, such as SSH. As far as I know, none of the other protocols support crypto.
Even browsing the BBS through a web browser can be configured to use a free SSL certificate, such as letsencrypt.org, to encrypt all the traffic between the BBS and the user.

If I'm going to authenticate and transfer information on the Internet, I would rather use crypto to do it.

Best regards,
Pedro Silva

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.49
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: Telnet vs SSH
By: Pedro Silva to All on Sat Sep 24 2016 10:18 pm

Hello All,
I tried using a standard ssh client (openssh) and was unable to connect to any Synchronet BBS through SSH. The problem was always the same: Handshake failed. From what I could see, today's Linux Distributions have blacklisted some types of cryptos due to the fact that they are no longer secure.

strange. I've had no issues connecting to various systems using ssh from PuTTY or openssh from linux command line.

Are you forcing your connection to use only a single protocol ?

-Hemo

... Anything can be made to work if you fiddle with it long enough!

---
þ Synchronet þ - Running madly into the wind and screaming - bbs.ujoin

Re: Re: Telnet vs SSH
By: Pedro Silva to Al on Sun Sep 25 2016 12:44 am

Even browsing the BBS through a web browser can be configured to use a free SSL certificate, such as letsencrypt.org, to encrypt all the traffic between the BBS and the user.

I hadn't even thought of that. How do I get a certificate, and once I have it how do I install it in the server?

I'm not sure the Synchronet web server supports this.

... Math problems? Call 1-800-10*(24+13)-(64-16)/2^14E2.

-

Al wrote to Pedro Silva <=-

@TZ: c1e0
Re: Re: Telnet vs SSH
By: Pedro Silva to Al on
Sun Sep 25 2016 12:44 am

Even browsing the BBS through a web browser can be configured to use a free SSL certificate, such as letsencrypt.org, to encrypt all the traffic between the BBS and the user.

I hadn't even thought of that. How do I get a certificate, and once I
have it how do I install it in the server?

You get the certificate from the LetsEncrypt site. I don't know how to install a SSL certificate on Synchronet or if it's supported.
If Synchronet doesn't support SSL, it is possible to use a reverse proxy, with SSL, in front of Synchronet, such as Apache or Nginx.

Best regards,
Pedro Silva

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.49
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Hemo wrote to Pedro Silva <=-

@TZ: c168
Re: Telnet vs SSH
By: Pedro Silva to All on
Sat Sep 24 2016 10:18 pm

Hello All,
I tried using a standard ssh client (openssh) and was unable to connect to any Synchronet BBS through SSH. The problem was always the same: Handshake failed. From what I could see, today's Linux Distributions have blacklisted some types of cryptos due to the fact that they are no longer secure.

strange. I've had no issues connecting to various systems using ssh
from PuTTY or openssh from linux command line.

Are you forcing your connection to use only a single protocol ?

No, let me show it:

$ ssh guest@vert.synchro.net
Received disconnect from 71.95.196.34 port 22:2: Handshake failed
Disconnected from 71.95.196.34 port 22

$ ssh -vv guest@vert.synchro.net
OpenSSH_7.3p1 Debian-1, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "vert.synchro.net" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to vert.synchro.net [71.95.196.34] port 22.
debug1: Connection established.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3p1 Debian-1
debug1: Remote protocol version 2.0, remote software version cryptlib
debug1: no match: cryptlib
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to vert.synchro.net:22 as 'guest'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: 3des-cbc,aes128-cbc,blowfish-cbc
debug2: ciphers stoc: 3des-cbc,aes128-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha2-256,hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha2-256,hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
Received disconnect from 71.95.196.34 port 22:2: Handshake failed
Disconnected from 71.95.196.34 port 22

If I explicit use KEX algorithm diffie-hellman-group1-sha1, I can connect:

$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 guest@vert.synchro.net
The authenticity of host 'vert.synchro.net (71.95.196.34)' can't be established.
RSA key fingerprint is SHA256:ykpQTWSMSyqkLXyWlNC7zfWvnxtt0wGCGk0ZLyWALog.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vert.synchro.net,71.95.196.34' (RSA) to the list of known hosts.
guest@vert.synchro.net's password:

Synchronet BBS for Win32 Version 3.17
Connection from: 77.54.101.23
Resolving hostname...
<snip>

From what I understand, by default, Synchronet uses a deprecated SSH algorithm, which openssh can only use if forced.

From the OpenSSH legacy page (http://www.openssh.com/legacy.html):
"OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, but since some of the older algorithms have been found to be weak, not all of them are enabled by default."

Best regards,
Pedro Silva

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.49
þ Synchronet þ Vertrauen þ Home of Synchron

Re: Re: Telnet vs SSH
By: Pedro Silva to Hemo on Sun Sep 25 2016 09:33 am

Hello All,
I tried using a standard ssh client (openssh) and was unable to
connect to any Synchronet BBS through SSH. The problem was always
the same: Handshake failed. From what I could see, today's Linux
Distributions have blacklisted some types of cryptos due to the fact
that they are no longer secure.

They aren't blacklisted, they just aren't enabled by default in the more recent versions of OpenSSH. Not all of the major distro's have adopted use of the more recent versions of OpenSSH yet. Why? I'm not certain, but I find plenty of 'current' linux OS's still using v5.something from 2013 releases.

strange. I've had no issues connecting to various systems using ssh
from PuTTY or openssh from linux command line.

No, let me show it:
$ ssh -vv guest@vert.synchro.net
OpenSSH_7.3p1 Debian-1, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
OpenSSH_7.3p1 Debian-1, OpenSSL 1.0.2h 3 May 2016
71.95.196.34 port 22:2: Handshake failed Disconnected from 71.95.196.34 port 22

I guess it's all in semantics then, even though I asked if you were limiting the connection, the fact is that the default behavior of OpenSSH has changed, and the new defaults are limiting the connections. It still works, it is just that OpenSSH developers have decided to alter the default behavior, and if you are installing fresh and not upgrading from a previous version that did not have that behavior, you see new defaults.

I've uprgaded from previous versions and am currently on 7.3p1 as well and the install/update did not change the default settings from prior install, so I am still able to connect without forcing anything.

If I explicit use KEX algorithm diffie-hellman-group1-sha1, I can connect: $ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 guest@vert.synchro.net The authenticity of host 'vert.synchro.net (71.95.196.34)' can't be established.
Are you sure you want to continue connecting (yes/no)? yes guest@vert.synchro.net's password:

so it still works. for now...

From what I understand, by default, Synchronet uses a deprecated SSH algorithm, which openssh can only use if forced.

From the OpenSSH legacy page (http://www.openssh.com/legacy.html): "OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, but since some of the older algorithms have been found to be weak, not all of them are enabled by default."

again.. I guess it's in semantics. legacy is not the same as deprecated.
On the most recent release notes for OpenSSH, they are stating a future deprication, for now it is legacy and to get users accustomed to a future deprecation, they disable it by default. But only on new installations.

I note the most recent release of OpenSSH disables v1.3 and v1.5 protocols by default at compile time, yet I still have them enabled, so the distro providers have kept them 'enabled'. Likely so they don't have customers using OpenSSH suddenly not able to connect to remote locations they have no control over and are still using older versions.

I can see the desire to move on to 1024+ bit encyptions as a matter of default, don't get me wrong there. Though it might not be much longer and 1024 bit encryptions will be thought of as 'weak'.


-Hemo

... Take my advice, I don't use it anyway.

---
þ Synchronet þ - Running madly into the wind and screaming - bbs.ujoint.org

Hemo wrote to Pedro Silva <=-

@TZ: c168
Re: Re: Telnet vs SSH
By: Pedro Silva to Hemo on
Sun Sep 25 2016 09:33 am

again.. I guess it's in semantics. legacy is not the same as
deprecated. On the most recent release notes for OpenSSH, they are
stating a future deprication, for now it is legacy and to get users accustomed to a future deprecation, they disable it by default. But
only on new installations.

Hemo, thank you for your feedback.

You're right, semantics. They are legacy on their way to deprication.
Does Synchronet handle the SSH connections or is there an SSH server that relays the connections to Synchronet?

What's your opinion on advertising telnet access to the boards in 2016?

Best regards,
Pedro Silva

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.49
þ Synchronet þ Vertrauen þ Home of Synchrone

Re: Re: Telnet vs SSH
By: Pedro Silva to Hemo on Sun Sep 25 2016 08:02 pm

[1m[34mRe[0m[34m: [1m[36mRe: Telnet vs SSH
[34mBy[0m[34m: [1m[36mPedro Silva [34mto [36mHemo [34mon
[36mSun Sep 25 2016 09:33 am[0m

again.. I guess it's in semantics. legacy is not the same as
deprecated. On the most recent release notes for OpenSSH, they are
stating a future deprication, for now it is legacy and to get users
accustomed to a future deprecation, they disable it by default. But
only on new installations.

Hemo, thank you for your feedback.

You're right, semantics. They are legacy on their way to deprication. Does Synchronet handle the SSH connections or is there an SSH server that relays the connections to Synchronet?

As far as I am aware, Synchronet is capable of handling connections directly, whether http/https, telnet, ssh, rlogin, etc.

What's your opinion on advertising telnet access to the boards in 2016?

I think it depends on a lot of variables. A lot of the boards don't have anything going on that requires anything extra-secure, and those that do likely aren't advertising themselves in the BBS List.

I myself am leaning towards removing telnet access, simply because it will greatly reduce the number of login attempts from scripted bots that are looking to exploit unsecured routers, etc.

--Hemo

... How do you tell when you're out of invisible ink?

---
þ Synchronet þ - Running madly into th

Hemo wrote to Pedro Silva <=-

What's your opinion on advertising telnet access to the boards in 2016?

I think it depends on a lot of variables. A lot of the boards don't
have anything going on that requires anything extra-secure, and those
that do likely aren't advertising themselves in the BBS List.

Although most boards give access to DOVE/Fido and other networks.
Using plaintext protocols could lead to impersonation of users and it's messages/content by stealing login credentials.

I myself am leaning towards removing telnet access, simply because it
will greatly reduce the number of login attempts from scripted bots
that are looking to exploit unsecured routers, etc.

Yes, scripted bots will hammer remote access services, even when not running on default ports.
There are several mitigations for this, on linux, one could use denyhosts or fail2ban to block repeating offending IP addresses.

Best regards,
Pedro Silva

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.49
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

25 Sep 16 15:22, you wrote to Pedro Silva:

I myself am leaning towards removing telnet access, simply because it
will greatly reduce the number of login attempts from scripted bots
that are looking to exploit unsecured routers, etc.

just change the default port... you will have the same problems on other default ports for other protocols, too...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDP/IPS yer doin' it wrong...
... ((((( In Stereo Where Available )))))
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: Telnet vs SSH
By: mark lewis to Hemo on Mon Sep 26 2016 08:34 am

25 Sep 16 15:22, you wrote to Pedro Silva:

I myself am leaning towards removing telnet access, simply because
it will greatly reduce the number of login attempts from scripted
bots that are looking to exploit unsecured routers, etc.

just change the default port... you will have the same problems on other default ports for other protocols, too...

well.. yes, but I was specifically referring to the scripts that look to exploit telnet access on unsecured routers.

When it gets to a point that it prevents access for legitimate folk, then I will take action further than the IP bans that are currently auto-implemented.

-Hemo

... I don't make jokes. I just watch the government and report the facts.

---
þ Synchronet þ - Running madly into the wind and screaming - bbs.ujoint.org

El 25/09/16 a las 02:18, Pedro Silva escribió:

Hello All,

As all of you, I too ran a BBS in the 90s, some of you earlier, and have very good memories of that time.

Nowadays, with all the advances in information security, why are we still using
a plaintext protocol like telnet to access a BBS?
Browsing the synchronet BBS list, I find only a handfull of BBSs that offer SSH
access.

As far as I can tell, correct me if I'm wrong, Synchronet maybe using outdated/obsolete cryptography in it's SSH implementation.
I tried using a standard ssh client (openssh) and was unable to connect to any
Synchronet BBS through SSH. The problem was always the same: Handshake failed.
From what I could see, today's Linux Distributions have blacklisted some types
of cryptos due to the fact that they are no longer secure.

I'm running Debian Linux and I know that I can use a better client, such as SyncTerm, but the fact that BBSs advertise their access through an insecure protocol like telnet is not safe, shouldn't we switch to a secure form of communication?

Looking forward to talking about this with you.

Best regards,
Pedro Silva

Synchronet use cryplib to get the ssh secure protocol. I'm package
SyncTerm for deban and i can't make that are acepted due several
problems including the cryptlib usage =(

Ragnarok wrote to Pedro Silva <=-

Synchronet use cryplib to get the ssh secure protocol. I'm package SyncTerm for deban and i can't make that are acepted due several
problems including the cryptlib usage =(

I noticed it. When I tried to use the syncterm binary downloaded from it's website, it wouldn't connect through SSH because it couldn't find cryplib. Hence, I downloaded Syncterm's source, compiled it and it's working.

There is some other thread going on regarding packaging Syncterm on Debian.

Best regards,
Pedro Silva

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.49
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Pedro Silva wrote to All <=-

Hello All,

Ola Pedro, como vai? Que bom poder conversar em portugues. ;)

As all of you, I too ran a BBS in the 90s, some of you earlier, and
have very good memories of that time.

Nowadays, with all the advances in information security, why are we
still using a plaintext protocol like telnet to access a BBS?
Browsing the synchronet BBS list, I find only a handfull of BBSs that

Switching back to English, if the system you chose to use as a BBS system does
not support native SSH, you can always use a front-end service that will receive the SSH calls and transfer them via telnet to your system.

Ioram Sette from Brain Storm BBS did that really good, you can try ssh to
bsbbs@bsbbs.com.br.



---
.-----________________--_ ________.--'-`--.____ Hugs from Flavio Bessa \____==================_) \_'===================' Syzo of Saturn's Orbit
- -|__|-.______|=====/ `---' Netmail 4:801/189.1
Live long ` ù._ _ _ _~~~~~| fcbessa@gmail.com
and prosper... `-.__________,' Always UnionNET Addicted!


... "Gustavo!" "OOOIII!!!" - The Three Gustavos, 1 Encontro
--- MultiMail/Darwin v0.49
þ Synchronet þ Ninho do Abutre 2 BBS - Rio de Janeiro, Brazil

Re: Re: Telnet vs SSH
By: Pedro Silva to Hemo on Sun Sep 25 2016 09:33 am

Hemo wrote to Pedro Silva <=-

@TZ: c168
Re: Telnet vs SSH
By: Pedro Silva to All on
Sat Sep 24 2016 10:18 pm

Hello All,
I tried using a standard ssh client (openssh) and was unable to connect to any Synchronet BBS through SSH. The problem was always the same: Handshake failed. From what I could see, today's Linux Distributions have blacklisted some types of cryptos due to the fact that they are no longer secure.

strange. I've had no issues connecting to various systems using ssh from PuTTY or openssh from linux command line.

Are you forcing your connection to use only a single protocol ?

No, let me show it:

$ ssh guest@vert.synchro.net
Received disconnect from 71.95.196.34 port 22:2: Handshake failed Disconnected from 71.95.196.34 port 22

$ ssh -vv guest@vert.synchro.net
OpenSSH_7.3p1 Debian-1, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "vert.synchro.net" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to vert.synchro.net [71.95.196.34] port 22.
debug1: Connection established.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3p1 Debian-1
debug1: Remote protocol version 2.0, remote software version cryptlib debug1: no match: cryptlib
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to vert.synchro.net:22 as 'guest'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh -sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffi e-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group- exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext- info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa- sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nis tp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-s ha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,ae s256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc ,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,ae s256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc ,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha 2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.co m,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac- sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha 2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.co m,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac- sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman- group-exchange-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: 3des-cbc,aes128-cbc,blowfish-cbc
debug2: ciphers stoc: 3des-cbc,aes128-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha2-256,hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha2-256,hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
Received disconnect from 71.95.196.34 port 22:2: Handshake failed Disconnected from 71.95.196.34 port 22

If I explicit use KEX algorithm diffie-hellman-group1-sha1, I can connect:

$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 guest@vert.synchro.net
The authenticity of host 'vert.synchro.net (71.95.196.34)' can't be established.
RSA key fingerprint is SHA256:ykpQTWSMSyqkLXyWlNC7zfWvnxtt0wGCGk0ZLyWALog. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vert.synchro.net,71.95.196.34' (RSA) to the list of known hosts.
guest@vert.synchro.net's password:

Synchronet BBS for Win32 Version 3.17
Connection from: 77.54.101.23
Resolving hostname...
<snip>

From what I understand, by default, Synchronet uses a deprecated SSH algorithm, which openssh can only use if forced.

From the OpenSSH legacy page (http://www.openssh.com/legacy.html):
"OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, but since some of the older algorithms have been found to be weak, not all of them are enabled by default."

Pedro,

Just wanted to let you know that I took much of the detail you provided an added a new FAQ to the wiki: http://wiki.synchro.net/faq:tcpip#ssh_kex_algo

Thanks!

digital man

Synchronet "Real Fact" #90:
Synchronet/DSZ "hack" of '93: http://wiki.synchro.net/history:hack93
Norco, CA WX: 59.8øF, 90.0% humidity, 4 mph ESE wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net