On 7/6/21, Ralph Aichinger <r...@pi.h5.or.at> wrote: > Hi, everybody, as a bullseye user I am seeing messages like > > | Unable to negotiate with 10.0.17.52 port 22: no matching > | key exchange method found. Their offer: diffie-hellman-group1-sha1 > > with increasing frequency, especially when trying to ssh into > proprietary, obsolete stuff. Above comes from a Cisco 7941 IP > phone I toy around with at home, with no expectation of security > whatsoever, I might as well use telnet. > > Some algorithms can be activated by using e.g. > -oKexAlgorithms=+diffie-hellman-group1-sha1 > but I suppose it is only a question of time before some of this > really old and insecure stuff is compiled out or removed from > sources. It is also a bit difficult to find working combinations > of keyexchange algorithms and ciphers for unknown older servers > (a lot of trial and error?).
"ssh -v" might tell you enough about what's missing. And then ssh -Q kex to show available key exchange algorithms, and ssh -Q cipher to show available ciphers > What is the suggested way to work around that problem? I like adding that stuff in the ~/.ssh/config file - ref. man ssh_config for example: $ head ~/.ssh/config Host cerberus 10.10.2.1 User dante KexAlgorithms +diffie-hellman-group1-sha1 # ssh -Q kex # show available key exchange algorithms > What I do not want to do is change my "normal" configuration, e.g. > add these algorithms to my normal .ssh/config. Put all the special cases at the top of the config file and all of the "normal" config stuff at the end, under Host * Regards, Lee
