1 |
On Monday, 11 March 2019 08:31:33 GMT Neil Bothwick wrote: |
2 |
> On Mon, 11 Mar 2019 01:41:19 -0400, Philip Webb wrote: |
3 |
> > That forum contains a solution : |
4 |
> > ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123 |
5 |
> > |
6 |
> > That gets me thro' & I can do my work there. |
7 |
> > |
8 |
> > > Enable legacy and possible less secure key exchange formats and |
9 |
> > > ciphers only per server and not globally |
10 |
> > > and if possible upgrade the SSH server version. |
11 |
> > |
12 |
> > However, I've tried to insert an instruction in config files, |
13 |
> > but nothing changes after a reboot. |
14 |
> > |
15 |
> > I've tried adding to ~/.ssh/config & /etc/ssh/ssh_config : |
16 |
> > Host 128.100.160.1 |
17 |
> > |
18 |
> > KexAlgorithms +diffie-hellman-group1-sha1 |
19 |
> > |
20 |
> > That is what seems to be required by 'man 5 ssh_config'. |
21 |
> |
22 |
> Try without the +, that works for me here. I have an appliance that uses |
23 |
> outdated algorithms and this config works for me |
24 |
> |
25 |
> Host 1.2.3.4 |
26 |
> Ciphers 3des-cbc |
27 |
> KexAlgorithms diffie-hellman-group1-sha1 |
28 |
> HostKeyAlgorithms ssh-dss |
29 |
|
30 |
As I understand it the "+" merely adds one more cipher to the collection. |
31 |
This is probably safer. If the server has been updated and non-legacy key |
32 |
exchange algorithms are now available they can be used. Without "+" the |
33 |
directive for the client is exclusive: only use this algorithm and nothing |
34 |
else. |
35 |
-- |
36 |
Regards, |
37 |
Mick |