On Tue, Oct 31, 2017 at 9:45 PM, Don Armstrong <d...@debian.org> wrote:
> It's ~/.ssh/config.
Typo, please excuse.
> That's the Key-exchange algorithm.
That kinda makes sense. It sounds like that has nothing to do with the
problem, since there are no keys involved here.
> Generally, what happens is that older switches and hardware run ancient
> versions of ssh which don't support modern encryption algorithms.
>
> Usually that means that for that specific host, you have to advertise
> specific host configurations, like so (where cisco1841 is the switch's
> hostname):
>
> Host cisco1841
> KexAlgorithms diffie-hellman-group1-sha
> Ciphers aes128-cbc,3des-cbc
> MACs hmac-md5,hmac-sha1
>
> in your ~/.ssh/config and then connect to the machine like so:
>
> ssh cisco1841;
Sounds quite reasonable. Having a lame algorithm for just one host'll
be no problem. But there's no 'config' of any sort in there.
> The real solution is to upgrade to a more recent version of IOS.
IOS is way not FOSS. Lovely software, though.
[SOLVED] -- there seems to be a lot of chatter about this on the web.
In /etc/ssh/ssh_config, I added 2 lines at the bottom of the file:
KexAlgorithms diffie-hellman-group1-sha1
Ciphers 3des-cbc
(3des-cbc is one the router offered)
Then I rebuilt the keys and restarted ssh. Worked.
I don't think I set the weak algorithm to just the router, though, and
I doubt this is as good a config as suggested. But I didn't have to
figure out the ~/.ssh/config problem, and I'm back on the air -- until
next openSSH upgrade, I suspect :-)
Thanks much for the help and explanation.
--
Glenn English
