Re: Suggested way to ssh into obsolete devices (with old ssh crypto)?
On Tue, Jul 06, 2021 at 10:40:00AM +0200, Ralph Aichinger wrote:
> Hi, everybody, as a bullseye user I am seeing messages like
>
> | Unable to negotiate with 10.0.17.52 port 22: no matching
> | key exchange method found. Their offer: diffie-hellman-group1-sha1
>
> with increasing frequency, especially when trying to ssh into
> proprietary, obsolete stuff. Above comes from a Cisco 7941 IP
> phone I toy around with at home, with no expectation of security
> whatsoever, I might as well use telnet.
>
> Some algorithms can be activated by using e.g.
> -oKexAlgorithms=+diffie-hellman-group1-sha1
> but I suppose it is only a question of time before some of this
> really old and insecure stuff is compiled out or removed from
> sources. It is also a bit difficult to find working combinations
> of keyexchange algorithms and ciphers for unknown older servers
> (a lot of trial and error?).
>
> What is the suggested way to work around that problem? Download
> ssh sources from 15 years ago, and build a "ssh-insecure" binary?
>
> What I do not want to do is change my "normal" configuration, e.g.
> add these algorithms to my normal .ssh/config.
>
> I suppose I am not the only one or first to have this problem,
> is there an elegant solution, that does not compromise security
> in the dominating normal case (ssh into modern servers)?
>
Like you, I have been using CLI options to the ssh command to adjust the
necessary algorithms if I need something "insecure". My thought is that
once that no longer serves the purpose, I would setup a VM, container,
or chroot running Debian wheezy or jessie and then use the ssh command
from that environment.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: