Glenn English <ghe2...@gmail.com> wrote: > On Tue, Oct 31, 2017 at 9:45 PM, Don Armstrong <d...@debian.org> wrote:
>> It's ~/.ssh/config. > Typo, please excuse. >> That's the Key-exchange algorithm. > That kinda makes sense. It sounds like that has nothing to do with the > problem, since there are no keys involved here. There are. Both sides exchange a symmetric session key to use for the connection. The public/private key which can be used with SSH has nothing to do with this. >> Generally, what happens is that older switches and hardware run ancient >> versions of ssh which don't support modern encryption algorithms. >> >> Usually that means that for that specific host, you have to advertise >> specific host configurations, like so (where cisco1841 is the switch's >> hostname): >> >> Host cisco1841 >> KexAlgorithms diffie-hellman-group1-sha >> Ciphers aes128-cbc,3des-cbc >> MACs hmac-md5,hmac-sha1 >> >> in your ~/.ssh/config and then connect to the machine like so: >> >> ssh cisco1841; > Sounds quite reasonable. Having a lame algorithm for just one host'll > be no problem. But there's no 'config' of any sort in there. What do you mean? Just create ~/.ssh/config and put a Host statement like above inside it. >> The real solution is to upgrade to a more recent version of IOS. > IOS is way not FOSS. Lovely software, though. It needn't be FOSS for you to download a newer version from the Cisco website. (Only with a valid support contract of course.) > [SOLVED] -- there seems to be a lot of chatter about this on the web. > In /etc/ssh/ssh_config, I added 2 lines at the bottom of the file: > KexAlgorithms diffie-hellman-group1-sha1 > Ciphers 3des-cbc No, this is not the solution, as this will a) set this for every connection and b) restrict the Cipher list to *only* this insecure cipher. Please read "man ssh_config". The Ciphers statement recongnizes + and - as prefixes to add or remove values without replacing the whole setting. S° -- Sigmentation fault. Core dumped.
