[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suggested way to ssh into obsolete devices (with old ssh crypto)?

On 7/6/21, Ralph Aichinger <ra@pi.h5.or.at> wrote:
> Hi, everybody, as a bullseye user I am seeing messages like
> | Unable to negotiate with port 22: no matching
> | key exchange method found. Their offer: diffie-hellman-group1-sha1
> with increasing frequency, especially when trying to ssh into
> proprietary, obsolete stuff. Above comes from a Cisco 7941 IP
> phone I toy around with at home, with no expectation of security
> whatsoever, I might as well use telnet.
> Some algorithms can be activated by using e.g.
>  -oKexAlgorithms=+diffie-hellman-group1-sha1
> but I suppose it is only a question of time before some of this
> really old and insecure stuff is compiled out or removed from
> sources. It is also a bit difficult to find working combinations
> of keyexchange algorithms and ciphers for unknown older servers
> (a lot of trial and error?).

"ssh -v" might tell you enough about what's missing.  And then
ssh -Q kex
  to show available key exchange algorithms, and
ssh -Q cipher
  to show available ciphers

> What is the suggested way to work around that problem?

I like adding that stuff in the ~/.ssh/config file - ref. man ssh_config
for example:
$ head ~/.ssh/config

Host cerberus

User dante

KexAlgorithms +diffie-hellman-group1-sha1
# ssh -Q kex
#   show available key exchange algorithms

> What I do not want to do is change my "normal" configuration, e.g.
> add these algorithms to my normal .ssh/config.

Put all the special cases at the top of the config file and all of the
"normal" config stuff at the end, under
Host *


Reply to: