Hi, all, minor problem/annoyance here: root at noc:/etc/ssh # ssh admin at 10.4.0.62 Unable to negotiate with 10.4.0.62 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,none root at noc:/etc/ssh # uname -a FreeBSD noc.pluspunkthosting.de 10.3-RELEASE FreeBSD 10.3-RELEASE #3: Wed Apr 13 14:46:57 CEST 2016 root at noc.pluspunkthosting.de:/usr/obj/usr/src/sys/GENERIC amd64 Of course I was able to find http://www.openssh.com/legacy.html myself. FreeBSD 10.2 uses OpenSSH 6.6.x while 10.3 imported 7.2. So far so good. The recommended method from the document above works on the command line: ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin at 10.4.0.62 But if I add KexAlgorithms +diffie-hellman-group1-sha1 to /etc/ssh/ssh_config, that does not change anything. Oddly enough, checking which algorithms are supported gives the same result regardless of any configuration options: root at noc:/etc/ssh # ssh -Q kex diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 at libssh.org So, diffie-hellman-group1-sha1 is supported but not used unless specified on the command line? And there is no way to override that *globally*? This is an isolated management network with IPMI interfaces - we won't be getting updates for all of these machines' IPMI firmware ... Am I stuck with writing shell aliases or putting the config in each and every user's private ~/.ssh/config? Thanks for any hints, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info at punkt.de http://www.punkt.de Gf: J?rgen Egeling AG Mannheim 108285
host * KexAlgorithms diffie-hellman-group1-sha1 in ~/.ssh/config works for me. Daniel> On 14.04.2016 ?., at 12:44, Patrick M. Hausen <hausen at punkt.de> wrote: > > Hi, all, > > minor problem/annoyance here: > > root at noc:/etc/ssh # ssh admin at 10.4.0.62 > Unable to negotiate with 10.4.0.62 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,none > root at noc:/etc/ssh # uname -a > FreeBSD noc.pluspunkthosting.de 10.3-RELEASE FreeBSD 10.3-RELEASE #3: Wed Apr 13 14:46:57 CEST 2016 root at noc.pluspunkthosting.de:/usr/obj/usr/src/sys/GENERIC amd64 > > Of course I was able to find http://www.openssh.com/legacy.html myself. > > FreeBSD 10.2 uses OpenSSH 6.6.x while 10.3 imported 7.2. > So far so good. > > The recommended method from the document above works on the > command line: > > ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin at 10.4.0.62 > > But if I add > > KexAlgorithms +diffie-hellman-group1-sha1 > > to /etc/ssh/ssh_config, that does not change anything. Oddly enough, > checking which algorithms are supported gives the same result > regardless of any configuration options: > > root at noc:/etc/ssh # ssh -Q kex > diffie-hellman-group1-sha1 > diffie-hellman-group14-sha1 > diffie-hellman-group-exchange-sha1 > diffie-hellman-group-exchange-sha256 > ecdh-sha2-nistp256 > ecdh-sha2-nistp384 > ecdh-sha2-nistp521 > curve25519-sha256 at libssh.org > > So, diffie-hellman-group1-sha1 is supported but not used unless > specified on the command line? And there is no way to override that > *globally*? This is an isolated management network with IPMI > interfaces - we won't be getting updates for all of these machines' > IPMI firmware ... > > Am I stuck with writing shell aliases or putting the config in each and > every user's private ~/.ssh/config? > > Thanks for any hints, > Patrick > -- > punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe > Tel. 0721 9109 0 * Fax 0721 9109 100 > info at punkt.de http://www.punkt.de > Gf: J?rgen Egeling AG Mannheim 108285 > > _______________________________________________ > freebsd-stable at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
On 14.04.2016 16:44, Patrick M. Hausen wrote:> Hi, all, > > minor problem/annoyance here: > > root at noc:/etc/ssh # ssh admin at 10.4.0.62 > Unable to negotiate with 10.4.0.62 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,none > root at noc:/etc/ssh # uname -a > FreeBSD noc.pluspunkthosting.de 10.3-RELEASE FreeBSD 10.3-RELEASE #3: Wed Apr 13 14:46:57 CEST 2016 root at noc.pluspunkthosting.de:/usr/obj/usr/src/sys/GENERIC amd64 > > Of course I was able to find http://www.openssh.com/legacy.html myself. > > FreeBSD 10.2 uses OpenSSH 6.6.x while 10.3 imported 7.2. > So far so good. > > The recommended method from the document above works on the > command line: > > ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin at 10.4.0.62 > > But if I add > > KexAlgorithms +diffie-hellman-group1-sha1 > > to /etc/ssh/ssh_config, that does not change anything.It does change for me. And helps. Make double sure you have added KexAlgorithms to system wide defaults section of ssh_config and not after limiting "Host" directive, or similar.