On Tue, 31 Oct 2017, Glenn English wrote:
> So I looked around a bit, and the openssh website says that's a
> insecure algorithm, but I can enable it if I want to by putting some
> text in ~/.ssh.config. Except there is no ~/.ssh.config. I created one
> and put what I think is the recommended text in it, but no joy.
It's ~/.ssh/config.
> I put 'KexAlgorithms +diffie-hellman-group1-sha1' in
> /etc/ssh/ssh_config, and ssh still says it can't find a good
> algorithm, and gives me another list of possibilities. I assume that
> list is coming from the router, and I have no idea what 'Kex' means
That's the Key-exchange algorithm.
> Anybody know what's going on? And how to fix it?
Generally, what happens is that older switches and hardware run ancient
versions of ssh which don't support modern encryption algorithms.
Usually that means that for that specific host, you have to advertise
specific host configurations, like so (where cisco1841 is the switch's
hostname):
Host cisco1841
KexAlgorithms diffie-hellman-group1-sha
Ciphers aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1
in your ~/.ssh/config and then connect to the machine like so:
ssh cisco1841;
If it doesn't work, run ssh -vv cisco1841; and see what is being
advertised, and adjust your options to suit.
The real solution is to upgrade to a more recent version of IOS.
--
Don Armstrong https://www.donarmstrong.com
If it jams, force it. If it breaks, it needed replacing anyway.
-- Lowery's Law
