Re: Suggested way to ssh into obsolete devices (with old ssh crypto)?
On Tue, Jul 06, 2021 at 10:40:00AM +0200, Ralph Aichinger wrote:
> Hi, everybody, as a bullseye user I am seeing messages like
>
> | Unable to negotiate with 10.0.17.52 port 22: no matching
> | key exchange method found. Their offer: diffie-hellman-group1-sha1
>
> with increasing frequency, especially when trying to ssh into
> proprietary, obsolete stuff. Above comes from a Cisco 7941 IP
> phone I toy around with at home, with no expectation of security
> whatsoever, I might as well use telnet.
>
> Some algorithms can be activated by using e.g.
> -oKexAlgorithms=+diffie-hellman-group1-sha1
> but I suppose it is only a question of time before some of this
> really old and insecure stuff is compiled out or removed from
> sources. It is also a bit difficult to find working combinations
> of keyexchange algorithms and ciphers for unknown older servers
> (a lot of trial and error?).
>
> What is the suggested way to work around that problem? Download
> ssh sources from 15 years ago, and build a "ssh-insecure" binary?
>
> What I do not want to do is change my "normal" configuration, e.g.
> add these algorithms to my normal .ssh/config.
>
> I suppose I am not the only one or first to have this problem,
> is there an elegant solution, that does not compromise security
> in the dominating normal case (ssh into modern servers)?
>
> Thanks in advance,
> Ralph
>
This also works the other way round: other older Linux [CentOS/Red Hat]
can't work with Microsoft Windows or things expecting newer cipher suites
One way round is to keep a separate ssh config with manually edited lists
of what ciphers work with what - but it is not straightforward.
This will only get worse as we move to elliptic key, potentially.
All the best,
Andy C
Reply to: