Re: buster ssh problem
Glenn English <ghe2001@gmail.com> wrote:
> On Tue, Oct 31, 2017 at 9:45 PM, Don Armstrong <don@debian.org> wrote:
>> It's ~/.ssh/config.
> Typo, please excuse.
>> That's the Key-exchange algorithm.
> That kinda makes sense. It sounds like that has nothing to do with the
> problem, since there are no keys involved here.
There are. Both sides exchange a symmetric session key to use for the
connection. The public/private key which can be used with SSH has
nothing to do with this.
>> Generally, what happens is that older switches and hardware run ancient
>> versions of ssh which don't support modern encryption algorithms.
>>
>> Usually that means that for that specific host, you have to advertise
>> specific host configurations, like so (where cisco1841 is the switch's
>> hostname):
>>
>> Host cisco1841
>> KexAlgorithms diffie-hellman-group1-sha
>> Ciphers aes128-cbc,3des-cbc
>> MACs hmac-md5,hmac-sha1
>>
>> in your ~/.ssh/config and then connect to the machine like so:
>>
>> ssh cisco1841;
> Sounds quite reasonable. Having a lame algorithm for just one host'll
> be no problem. But there's no 'config' of any sort in there.
What do you mean? Just create ~/.ssh/config and put a Host statement
like above inside it.
>> The real solution is to upgrade to a more recent version of IOS.
> IOS is way not FOSS. Lovely software, though.
It needn't be FOSS for you to download a newer version from the Cisco
website. (Only with a valid support contract of course.)
> [SOLVED] -- there seems to be a lot of chatter about this on the web.
> In /etc/ssh/ssh_config, I added 2 lines at the bottom of the file:
> KexAlgorithms diffie-hellman-group1-sha1
> Ciphers 3des-cbc
No, this is not the solution, as this will a) set this for every
connection and b) restrict the Cipher list to *only* this insecure
cipher.
Please read "man ssh_config". The Ciphers statement recongnizes + and -
as prefixes to add or remove values without replacing the whole setting.
S°
--
Sigmentation fault. Core dumped.
Reply to: