Re: Suggested way to ssh into obsolete devices (with old ssh crypto)?
On 7/6/21, Ralph Aichinger <ra@pi.h5.or.at> wrote:
> Hi, everybody, as a bullseye user I am seeing messages like
>
> | Unable to negotiate with 10.0.17.52 port 22: no matching
> | key exchange method found. Their offer: diffie-hellman-group1-sha1
>
> with increasing frequency, especially when trying to ssh into
> proprietary, obsolete stuff. Above comes from a Cisco 7941 IP
> phone I toy around with at home, with no expectation of security
> whatsoever, I might as well use telnet.
>
> Some algorithms can be activated by using e.g.
> -oKexAlgorithms=+diffie-hellman-group1-sha1
> but I suppose it is only a question of time before some of this
> really old and insecure stuff is compiled out or removed from
> sources. It is also a bit difficult to find working combinations
> of keyexchange algorithms and ciphers for unknown older servers
> (a lot of trial and error?).
"ssh -v" might tell you enough about what's missing. And then
ssh -Q kex
to show available key exchange algorithms, and
ssh -Q cipher
to show available ciphers
> What is the suggested way to work around that problem?
I like adding that stuff in the ~/.ssh/config file - ref. man ssh_config
for example:
$ head ~/.ssh/config
Host cerberus 10.10.2.1
User dante
KexAlgorithms +diffie-hellman-group1-sha1
# ssh -Q kex
# show available key exchange algorithms
> What I do not want to do is change my "normal" configuration, e.g.
> add these algorithms to my normal .ssh/config.
Put all the special cases at the top of the config file and all of the
"normal" config stuff at the end, under
Host *
Regards,
Lee
Reply to: