SSH from RHEL 9 to RHEL 5 or RHEL 6

RHEL 9 no longer lets you ssh to RHEL ≤ 6 hosts out of the box. You can weaken security of the whole system but there’s no easy way to set security policy per remote host. Here’s how to set up ssh so it works for a RHEL 5 or RHEL 6 host:

First edit your .ssh/config file, adding an entry for the host:

Host rhel5or6-host
KexAlgorithms +diffie-hellman-group14-sha1
MACs +hmac-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

(The lines except the first “Host” line should be indented. WordPress screws up the formatting …)

That’s not enough on its own, because RHEL 9 also maims the openssl library by disabling SHA1 support by default. To fix that, create /var/tmp/openssl.cnf with:

.include /etc/ssl/openssl.cnf
[openssl_init]
alg_section = evp_properties
[evp_properties]
rh-allow-sha1-signatures = yes

Now you can ssh to RHEL 5 or RHEL 6 hosts like this:

OPENSSL_CONF=/var/tmp/openssl.cnf ssh rhel5or6-host

Thanks Laszlo Ersek for working out most of this. Related bugs:

2064740 – RFE: Make it easier to configure LEGACY policy per service or per host

2062360 – RFE: Virt-v2v should replace hairy “enable LEGACY crypto” advice which a more targeted mechanism

Status of libguestfs in Fedora, RHEL

Status of libguestfs in Fedora and RHEL including future plans. Thank you Unicode box-drawing characters!

libguestfs RHEL 6.3 yum repo

You can now easily add the libguestfs RHEL 6.3 preview packages to your RHEL 6.2 system as a yum repo:

# cat <<EOF > /etc/yum.repos.d/libguestfs-RHEL-6.3-preview.repo
[libguestfs-RHEL-6.3-preview]
name=libguestfs RHEL 6.3 preview - x86_64
baseurl=http://people.redhat.com/~rjones/libguestfs-RHEL-6.3-preview/
enabled=1
gpgcheck=0
EOF

For more information, see the README file.

libguestfs preview packages for RHEL 6.2

For RHEL 6.0 we delivered an old, very safe version of libguestfs (1.2). Even before RHEL 6.0 was out, we knew we wanted to radically update libguestfs because we had many major new features, and we had improved the speed of libguestfs by 4 or 5 times. Thus the RHEL 6.0 → 6.1 rebase was substantial.

For RHEL 6.2 we are not planning any big changes, but nevertheless we are going to pull in over 100 upstream patches and fix dozens of bugs.

RHEL 6.2 libguestfs will have the same official version 1.7.17 but in reality it will be very similar to the upstream stable branch version 1.8.11, the package which has been getting a lot of testing and feedback in Fedora 14.

If you are using libguestfs in RHEL 6.1 now and you want try out libguestfs as it will look in RHEL 6.2, have a look at these preview packages:

http://people.redhat.com/~rjones/libguestfs-RHEL-6.2-preview/

libguestfs RHEL 6.1 preview packages updated

The latest and hopefully final preview packages are available here:

http://people.redhat.com/~rjones/rhel6.1-libguestfs-preview/

Updated libguestfs RHEL 6.1 preview packages

Updated packages are here now based on libguestfs 1.7.17.

Changes ahead for libguestfs RHEL 6.1 package

I previously said that libguestfs in RHEL 6.1 would be based on the recent upstream 1.6 release.

This plans have had to change slightly. It looks like we’ll rebase to 1.7.16 (a development version).

The reason is simply that to get into the next release of RHEV we had to remove the Perl dependencies on a number of key programs, because the tiny RHEV-H hypervisor [PDF] doesn’t have space to include Perl. Several programs like virt-inspector and virt-df had to be rewritten in C. We could backport all of the changes but they amount to nearly every change since 1.6 anyway.

What I do have to do is to meticulously check each C program precisely matches the old Perl version, in terms of output, command line arguments and so on, so that scripts written against RHEL 6.0 won’t break. But that’s what you pay Red Hat for.

Preview packages will be available here.

RHEL 6 public beta 1

We released the first public beta of Red Hat Enterprise Linux 6 today. You might be able to get it from the official Red Hat FTP site, but it was giving “421 There are too many connected users” errors just now. You can grab this unofficial mirror of the 64 bit DVD ISO instead. The official press release is here.

There are probably a fair few bugs — although not as many as the internal alphas I was playing with last year!

The highlights from my point of view: supported stable libguestfs, libguestfs tools and V2V, OCaml compiler (not supported), virt-top, and hivex.

Edit: Excellent interview with Tim Burke in The Register which also covers the main new features.