Web lists-archives.com

Re: buster ssh problem




On Tue, 31 Oct 2017, Glenn English wrote:
> So I looked around a bit, and the openssh website says that's a
> insecure algorithm, but I can enable it if I want to by putting some
> text in ~/.ssh.config. Except there is no ~/.ssh.config. I created one
> and put what I think is the recommended text in it, but no joy.

It's ~/.ssh/config.

> I put 'KexAlgorithms +diffie-hellman-group1-sha1' in
> /etc/ssh/ssh_config, and ssh still says it can't find a good
> algorithm, and gives me another list of possibilities. I assume that
> list is coming from the router, and I have no idea what 'Kex' means

That's the Key-exchange algorithm.

> Anybody know what's going on? And how to fix it?

Generally, what happens is that older switches and hardware run ancient
versions of ssh which don't support modern encryption algorithms.

Usually that means that for that specific host, you have to advertise
specific host configurations, like so (where cisco1841 is the switch's
hostname):

Host cisco1841
     KexAlgorithms diffie-hellman-group1-sha
     Ciphers aes128-cbc,3des-cbc
     MACs hmac-md5,hmac-sha1

in your ~/.ssh/config and then connect to the machine like so:

ssh cisco1841;

If it doesn't work, run ssh -vv cisco1841; and see what is being
advertised, and adjust your options to suit.

The real solution is to upgrade to a more recent version of IOS.

-- 
Don Armstrong                      https://www.donarmstrong.com

If it jams, force it. If it breaks, it needed replacing anyway.
 -- Lowery's Law