Since our release of Kali Linux 2022.1 it is possible to easily configure the SSH client for wider compatibility to allow Kali to talk to as many SSH servers as possible. In wide compatibility mode, legacy key exchange algorithms (such as diffie-hellman-*-sha1) and old ciphers (such as CBC) are enabled. As a result, tools used inside of Kali are able to communicate using these outdated methods. This is done to help increase Kali’s ability to talk to older, obsolete SSH servers that are still using these older protocols. Older services using this may be at end of life, thus increasing the chances of discovering vulnerabilities or other problems.

Note that this is not the default. Out of the box, the SSH client in Kali Linux is configured for Strong Security to enforce communication over more secure channels.

This setting can be changed easily using the kali-tweaks tool. Simply:

• Open a terminal and run kali-tweaks.
• From there, select the Hardening menu.
• Now you can choose between Strong Security (the default) and Wide Compatibility.

Note: This is achieved by creating or deleting the configuration file /etc/ssh/ssh_config.d/kali-wide-compat.conf.

As software and security advance, OpenSSH will remove features that are no longer commonly used from the default package. The Wide Compatibility mode mentioned above can enable features that are present in the package, but disabled by default. However, features that are really too old end up being completely removed. At this point, one has to resort to another SSH client: ssh1.

This package is, in practicality, OpenSSH frozen at version 7.5 (released in March 2017). It provides binaries for ssh, scp, and ssh-keygen, under the respective names ssh1, scp1 and ssh-keygen1. Why version 7.5, you might ask? Because this is the last release of OpenSSH that supports the SSH v.1 protocol. And as time passed, this old version became useful to keep using other removed features, notably support for DSA keys that was removed in version 9.8.

Starting with Kali weekly image 2024W40, and in upcoming release 2024.4, the package openssh-client-ssh1 is installed by default. For others who upgraded their system and need this functionality, it’s easy to just install the package:

kali@kali:~$ sudo apt update
[...]
kali@kali:~$
kali@kali:~$ sudo apt install -y openssh-client-ssh1
[...]
kali@kali:~$
kali@kali:~$ dpkg --listfiles openssh-client-ssh1 | grep bin/
/usr/bin/scp1
/usr/bin/ssh-keygen1
/usr/bin/ssh1
kali@kali:~$
kali@kali:~$ ssh1 -V
OpenSSH_7.5p1 Debian-17, OpenSSL 3.3.2 3 Sep 2024
kali@kali:~$

At some point in a near future, support for GSS-API will be split out into a separate package, in order to reduce the attack surface of the standard SSH package. Therefore the package openssh-client will come without support for GSS-API, and a separate package openssh-client-gssapi will need to be installed for those who need it.

For those running Kali rolling, and who want to make sure that GSS-API support doesn’t get removed in the future, you can pro-actively install the package:

kali@kali:~$ sudo apt update
[...]
kali@kali:~$
kali@kali:~$ sudo apt install -y openssh-client-gssapi
[...]
kali@kali:~$

Since the release of Kali Linux 2022.1, the SSH host keys are automatically generated if missing. This is achieved via the systemd service regenerate-ssh-host-keys.

So what are SSH host keys exactly? Those keys are required for the SSH server to be functional. They are supposed to be unique for each machine. Those keys can be found under /etc/ssh and are named ssh_host_*_key. This is how it usually looks like:

kali@kali:~$ ls -l /etc/ssh/ssh_host_*
-rw------- 1 root root 1373 Feb  3 23:50 /etc/ssh/ssh_host_dsa_key
-rw-r--r-- 1 root root  599 Feb  3 23:50 /etc/ssh/ssh_host_dsa_key.pub
-rw------- 1 root root  505 Feb  3 23:50 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root  171 Feb  3 23:50 /etc/ssh/ssh_host_ecdsa_key.pub
-rw------- 1 root root  399 Feb  3 23:50 /etc/ssh/ssh_host_ed25519_key
-rw-r--r-- 1 root root   91 Feb  3 23:50 /etc/ssh/ssh_host_ed25519_key.pub
-rw------- 1 root root 2590 Feb  3 23:50 /etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1 root root  563 Feb  3 23:50 /etc/ssh/ssh_host_rsa_key.pub

Since these keys must be unique for each machine, they can’t be embedded in pre-built Kali images such as the Kali Linux VM images or the ARM images. It’s usually up to the user to create those keys before running the SSH server for the first time. However, for most users who are not familiar with SSH, this is a hurdle, as they are not aware of this technical detail.

To make it easier, Kali Linux now comes with a systemd service that takes care of that automatically, and generate those keys if they are missing. In theory, it’s only during a first boot of a pre-built image that the service kicks in. On subsequent boots, the keys already exist and therefore nothing happens. This may not be the case for users who may remove these keys themselves.

For those who are not comfortable with this automatic behavior, it’s very simple and straightforward to disable it:

kali@kali:~$ sudo systemctl disable regenerate-ssh-host-keys.service