On Tue, Jul 06, 2021 at 10:40:00AM +0200, Ralph Aichinger wrote: > Hi, everybody, as a bullseye user I am seeing messages like > > | Unable to negotiate with 10.0.17.52 port 22: no matching > | key exchange method found. Their offer: diffie-hellman-group1-sha1 > > with increasing frequency, especially when trying to ssh into > proprietary, obsolete stuff. Above comes from a Cisco 7941 IP > phone I toy around with at home, with no expectation of security > whatsoever, I might as well use telnet. > > Some algorithms can be activated by using e.g. > -oKexAlgorithms=+diffie-hellman-group1-sha1 > but I suppose it is only a question of time before some of this > really old and insecure stuff is compiled out or removed from > sources. It is also a bit difficult to find working combinations > of keyexchange algorithms and ciphers for unknown older servers > (a lot of trial and error?). > > What is the suggested way to work around that problem? Download > ssh sources from 15 years ago, and build a "ssh-insecure" binary? > > What I do not want to do is change my "normal" configuration, e.g. > add these algorithms to my normal .ssh/config. > > I suppose I am not the only one or first to have this problem, > is there an elegant solution, that does not compromise security > in the dominating normal case (ssh into modern servers)? > > Thanks in advance, > Ralph > This also works the other way round: other older Linux [CentOS/Red Hat] can't work with Microsoft Windows or things expecting newer cipher suites
One way round is to keep a separate ssh config with manually edited lists of what ciphers work with what - but it is not straightforward. This will only get worse as we move to elliptic key, potentially. All the best, Andy C
