[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suggested way to ssh into obsolete devices (with old ssh crypto)?

On Tue, Jul 06, 2021 at 10:40:00AM +0200, Ralph Aichinger wrote:
> Hi, everybody, as a bullseye user I am seeing messages like 
> | Unable to negotiate with port 22: no matching 
> | key exchange method found. Their offer: diffie-hellman-group1-sha1
> with increasing frequency, especially when trying to ssh into
> proprietary, obsolete stuff. Above comes from a Cisco 7941 IP
> phone I toy around with at home, with no expectation of security
> whatsoever, I might as well use telnet.
> Some algorithms can be activated by using e.g. 
>  -oKexAlgorithms=+diffie-hellman-group1-sha1
> but I suppose it is only a question of time before some of this
> really old and insecure stuff is compiled out or removed from
> sources. It is also a bit difficult to find working combinations
> of keyexchange algorithms and ciphers for unknown older servers
> (a lot of trial and error?).
> What is the suggested way to work around that problem? Download
> ssh sources from 15 years ago, and build a "ssh-insecure" binary?
> What I do not want to do is change my "normal" configuration, e.g.
> add these algorithms to my normal .ssh/config.
> I suppose I am not the only one or first to have this problem, 
> is there an elegant solution, that does not compromise security
> in the dominating normal case (ssh into modern servers)?
> Thanks in advance,
> Ralph
This also works the other way round: other older Linux [CentOS/Red Hat]  
can't work with Microsoft Windows or things expecting newer cipher suites

One way round is to keep a separate ssh config with manually edited lists
of what ciphers work with what - but it is not straightforward.
This will only get worse as we move to elliptic key, potentially.

All the best,

Andy C

Reply to: