On Monday, 11 March 2019 08:31:33 GMT Neil Bothwick wrote: > On Mon, 11 Mar 2019 01:41:19 -0400, Philip Webb wrote: > > That forum contains a solution : > > ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123 > > > > That gets me thro' & I can do my work there. > > > > > Enable legacy and possible less secure key exchange formats and > > > ciphers only per server and not globally > > > and if possible upgrade the SSH server version. > > > > However, I've tried to insert an instruction in config files, > > but nothing changes after a reboot. > > > > I've tried adding to ~/.ssh/config & /etc/ssh/ssh_config : > > Host 128.100.160.1 > > > > KexAlgorithms +diffie-hellman-group1-sha1 > > > > That is what seems to be required by 'man 5 ssh_config'. > > Try without the +, that works for me here. I have an appliance that uses > outdated algorithms and this config works for me > > Host 1.2.3.4 > Ciphers 3des-cbc > KexAlgorithms diffie-hellman-group1-sha1 > HostKeyAlgorithms ssh-dss
As I understand it the "+" merely adds one more cipher to the collection. This is probably safer. If the server has been updated and non-legacy key exchange algorithms are now available they can be used. Without "+" the directive for the client is exclusive: only use this algorithm and nothing else. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
