Suggested way to ssh into obsolete devices (with old ssh crypto)?
Hi, everybody, as a bullseye user I am seeing messages like
| Unable to negotiate with 10.0.17.52 port 22: no matching
| key exchange method found. Their offer: diffie-hellman-group1-sha1
with increasing frequency, especially when trying to ssh into
proprietary, obsolete stuff. Above comes from a Cisco 7941 IP
phone I toy around with at home, with no expectation of security
whatsoever, I might as well use telnet.
Some algorithms can be activated by using e.g.
-oKexAlgorithms=+diffie-hellman-group1-sha1
but I suppose it is only a question of time before some of this
really old and insecure stuff is compiled out or removed from
sources. It is also a bit difficult to find working combinations
of keyexchange algorithms and ciphers for unknown older servers
(a lot of trial and error?).
What is the suggested way to work around that problem? Download
ssh sources from 15 years ago, and build a "ssh-insecure" binary?
What I do not want to do is change my "normal" configuration, e.g.
add these algorithms to my normal .ssh/config.
I suppose I am not the only one or first to have this problem,
is there an elegant solution, that does not compromise security
in the dominating normal case (ssh into modern servers)?
Thanks in advance,
Ralph
Reply to: