Web lists-archives.com

Re: buster ssh problem

On Tue, Oct 31, 2017 at 9:45 PM, Don Armstrong <don@xxxxxxxxxx> wrote:

> It's ~/.ssh/config.

Typo, please excuse.

> That's the Key-exchange algorithm.

That kinda makes sense. It sounds like that has nothing to do with the
problem, since there are no keys involved here.

> Generally, what happens is that older switches and hardware run ancient
> versions of ssh which don't support modern encryption algorithms.
> Usually that means that for that specific host, you have to advertise
> specific host configurations, like so (where cisco1841 is the switch's
> hostname):
> Host cisco1841
>      KexAlgorithms diffie-hellman-group1-sha
>      Ciphers aes128-cbc,3des-cbc
>      MACs hmac-md5,hmac-sha1
> in your ~/.ssh/config and then connect to the machine like so:
> ssh cisco1841;

Sounds quite reasonable. Having a lame algorithm for just one host'll
be no problem. But there's no 'config' of any sort in there.

> The real solution is to upgrade to a more recent version of IOS.

IOS is way not FOSS. Lovely software, though.

[SOLVED] -- there seems to be a lot of chatter about this on the web.

In /etc/ssh/ssh_config, I added 2 lines at the bottom of the file:

    KexAlgorithms diffie-hellman-group1-sha1
    Ciphers 3des-cbc

(3des-cbc is one the router offered)

Then I rebuilt the keys and restarted ssh. Worked.

I don't think I set the weak algorithm to just the router, though, and
I doubt this is as good a config as suggested. But I didn't have to
figure out the ~/.ssh/config problem, and I'm back on the air -- until
next openSSH upgrade, I suspect :-)

Thanks much for the help and explanation.

Glenn English