Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

Brian Candler b.candler at pobox.com
Mon Jun 30 22:34:06 AEST 2025


On 30/06/2025 13:14, Jochen Bern wrote:
> What I've seen getting *specifically* refused is my local ssh-agent 
> signing with the older (and shorter, 4kb) RSA keypair, but that 
> doesn't seem to explain *all* the now-failing connections, either

That's a 4096-bit RSA key pair? Can you show the error message?

If it's not fixed by

   PubkeyAcceptedAlgorithms +ssh-rsa
   HostKeyAlgorithms +ssh-rsa

then I don't know what the issue might be.

The other settings I sometimes need to apply for very old network 
devices are

   KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
   Ciphers +aes256-cbc,3des-cbc



More information about the openssh-unix-dev mailing list