| 1 |
On Monday, 11 March 2019 08:31:33 GMT Neil Bothwick wrote: |
| 2 |
> On Mon, 11 Mar 2019 01:41:19 -0400, Philip Webb wrote: |
| 3 |
> > That forum contains a solution : |
| 4 |
> > ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123 |
| 5 |
> > |
| 6 |
> > That gets me thro' & I can do my work there. |
| 7 |
> > |
| 8 |
> > > Enable legacy and possible less secure key exchange formats and |
| 9 |
> > > ciphers only per server and not globally |
| 10 |
> > > and if possible upgrade the SSH server version. |
| 11 |
> > |
| 12 |
> > However, I've tried to insert an instruction in config files, |
| 13 |
> > but nothing changes after a reboot. |
| 14 |
> > |
| 15 |
> > I've tried adding to ~/.ssh/config & /etc/ssh/ssh_config : |
| 16 |
> > Host 128.100.160.1 |
| 17 |
> > |
| 18 |
> > KexAlgorithms +diffie-hellman-group1-sha1 |
| 19 |
> > |
| 20 |
> > That is what seems to be required by 'man 5 ssh_config'. |
| 21 |
> |
| 22 |
> Try without the +, that works for me here. I have an appliance that uses |
| 23 |
> outdated algorithms and this config works for me |
| 24 |
> |
| 25 |
> Host 1.2.3.4 |
| 26 |
> Ciphers 3des-cbc |
| 27 |
> KexAlgorithms diffie-hellman-group1-sha1 |
| 28 |
> HostKeyAlgorithms ssh-dss |
| 29 |
|
| 30 |
As I understand it the "+" merely adds one more cipher to the collection. |
| 31 |
This is probably safer. If the server has been updated and non-legacy key |
| 32 |
exchange algorithms are now available they can be used. Without "+" the |
| 33 |
directive for the client is exclusive: only use this algorithm and nothing |
| 34 |
else. |
| 35 |
-- |
| 36 |
Regards, |
| 37 |
Mick |
Archives