On Tue, Jul 06, 2021 at 10:40:00AM +0200, Ralph Aichinger wrote: > Hi, everybody, as a bullseye user I am seeing messages like > > | Unable to negotiate with 10.0.17.52 port 22: no matching > | key exchange method found. Their offer: diffie-hellman-group1-sha1 > > with increasing frequency, especially when trying to ssh into > proprietary, obsolete stuff. Above comes from a Cisco 7941 IP > phone I toy around with at home, with no expectation of security > whatsoever, I might as well use telnet. > > Some algorithms can be activated by using e.g. > -oKexAlgorithms=+diffie-hellman-group1-sha1 > but I suppose it is only a question of time before some of this > really old and insecure stuff is compiled out or removed from > sources. It is also a bit difficult to find working combinations > of keyexchange algorithms and ciphers for unknown older servers > (a lot of trial and error?). > > What is the suggested way to work around that problem? Download > ssh sources from 15 years ago, and build a "ssh-insecure" binary? > > What I do not want to do is change my "normal" configuration, e.g. > add these algorithms to my normal .ssh/config. > > I suppose I am not the only one or first to have this problem, > is there an elegant solution, that does not compromise security > in the dominating normal case (ssh into modern servers)? > Like you, I have been using CLI options to the ssh command to adjust the necessary algorithms if I need something "insecure". My thought is that once that no longer serves the purpose, I would setup a VM, container, or chroot running Debian wheezy or jessie and then use the ssh command from that environment.
Regards, -Roberto -- Roberto C. Sánchez
