From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3B721138334 for ; Mon, 11 Mar 2019 08:44:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 70AA9E0D90; Mon, 11 Mar 2019 08:43:56 +0000 (UTC) Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C55B8E0D76 for ; Mon, 11 Mar 2019 08:43:55 +0000 (UTC) Received: by mail-wr1-x42c.google.com with SMTP id n2so4046241wrw.8 for ; Mon, 11 Mar 2019 01:43:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:reply-to:subject:date:message-id:in-reply-to:references :mime-version; bh=eefSzRKeH+oehyqJz+K5CKcxQQxrWgY7HNYaB2vpddQ=; b=h5ykpEywrX9dx2jRbyeUMMqrmL2QvSUNwGiZLmtdFJaFQTmCiy6n/jJJcIM4gaIqHb aMVJaR2KbANwzrZGILJTqYvMvmqUATrNa35WacZE8cVFdvtWh1gc16WRgNIaelz4L5FB PDEc6qeejsZ3HBVqJdUCfXJjZ23uv50hqdVF1xU+l7lA6WpniFFid+wPWN9sfwpZsDFi IPoc5AhbqB146ntwhkEvXgACMhU83yIv4IhSL5FnmfFS0QEH+3uA/QkEZTI0JwjNSZc2 Hj9bOgEsrx2f46fgJmI0gCXz4a4j+MKgZljkvbrFYlvkPnPhcpFA498ujudyes+zmQ9S b4Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:reply-to:subject:date:message-id :in-reply-to:references:mime-version; bh=eefSzRKeH+oehyqJz+K5CKcxQQxrWgY7HNYaB2vpddQ=; b=av9XYz+3bw3USeruFJNSUt809bneNJiG1DHqiIHlYs6F1pXjJuUGkBBKTgdR0FIynZ DaCx45pxd6OlmnukWTQ8yp3uIdrMDWMpWjspVXI7HiQSQlyG5TzVXGaS87Dt01oRIQw6 Ndi1YJVfE7TQ0z/Q2assrvpsw3YMxbavxwqLLDqZ2rU6WaE8ODuiIrdYUYLoTbVAqAU0 rmStJw+XEAIjntWt3c/aenRk+Mw1Zt2dNoh6orYirY5gs/L/Yltgd/D+YFe8MA8BJKf2 xFmGEOwAOu7DPWHf1253FcMSp4sQr40Y8XoBAdcl1TNAMN8wkZlW+chKqrrQ9iatFahd s8VQ== X-Gm-Message-State: APjAAAWRflOn4uyJFY7mnnYf+s61oVvJ3ea2ssSBFuuoXykn6x8Amtpc zF0dLIILj3DIV7xCDK/2hdfF6qF2 X-Google-Smtp-Source: APXvYqzoMONF5G8qrrzlvamFNrk3tXIWnI6dHayHvpjqagGVoi9+UK3vo9fee+fRDN/wIIhhAhMb+g== X-Received: by 2002:adf:ee4d:: with SMTP id w13mr19641667wro.16.1552293834067; Mon, 11 Mar 2019 01:43:54 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id t69sm26600266wmt.16.2019.03.11.01.43.53 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Mar 2019 01:43:53 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Ssh problem : half-solved Date: Mon, 11 Mar 2019 08:43:52 +0000 Message-ID: <5754419.A2fIWcm9iI@dell_xps> In-Reply-To: <20190311083133.5085f17e@digimed.co.uk> References: <20190310072554.GD1945@ca.inter.net> <20190311054119.GA1934@ca.inter.net> <20190311083133.5085f17e@digimed.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1947978.Q09807J11d"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 4c9e466b-c380-44c3-a4dc-590215e7c2e9 X-Archives-Hash: 31dcdd6ac995d24115fdba20e885d989 --nextPart1947978.Q09807J11d Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8" On Monday, 11 March 2019 08:31:33 GMT Neil Bothwick wrote: > On Mon, 11 Mar 2019 01:41:19 -0400, Philip Webb wrote: > > That forum contains a solution : > > ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123 > > > > That gets me thro' & I can do my work there. > > > > > Enable legacy and possible less secure key exchange formats and > > > ciphers only per server and not globally > > > and if possible upgrade the SSH server version. > > > > However, I've tried to insert an instruction in config files, > > but nothing changes after a reboot. > > > > I've tried adding to ~/.ssh/config & /etc/ssh/ssh_config : > > Host 128.100.160.1 > > > > KexAlgorithms +diffie-hellman-group1-sha1 > > > > That is what seems to be required by 'man 5 ssh_config'. > > Try without the +, that works for me here. I have an appliance that uses > outdated algorithms and this config works for me > > Host 1.2.3.4 > Ciphers 3des-cbc > KexAlgorithms diffie-hellman-group1-sha1 > HostKeyAlgorithms ssh-dss As I understand it the "+" merely adds one more cipher to the collection. This is probably safer. If the server has been updated and non-legacy key exchange algorithms are now available they can be used. Without "+" the directive for the client is exclusive: only use this algorithm and nothing else. -- Regards, Mick --nextPart1947978.Q09807J11d Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEt7MNaGaS6HvTUrEz6WnU8jC95dcFAlyGH8gACgkQ6WnU8jC9 5dfIThAAk0QNlgzqaEZ7nxPsDqqRLSNxpvp0ABM1FguEv3DsbNsqH5IWSFTAypi0 LA/Z00H488J1vCSHCqWJu2W/QhLDkMoctmD+ZLV1fErwTqYotoHk+HgfctuuSf8/ 4qD5kbFM1ons4fwqzVSzI0MRTS6eT7mvdKJd/qhcU+c/BDupL0nAIn7RGJOc38lG sZPGAkyyZwdyayYnBKGEhy3BJS3l/PWqRozM/7BQO7ZiiuaiIuQ72lQ5/rxYnr6U neHqjCS1xUin8j0s4Wd9B7BV7MTjAsw0FHcu9K7lLAztlMKyKvJ9SVAOe0vY4vQj KGN/ke0n34PNJGCg0diiSO3nIkwgal+GtNY4Ppuzo2uHkbq6uHl6gB0Hf38vvdSD 2qMZQ0NaYJtGHJbt6iBlVGk7WfRHM5sIBNx/depgt0feZ84ltr5CBCbOH7D2R090 TGEy4/5xLTu0L/BXehkioZdKpRTEo1sKP9xzYlxmj07sa1FPQ3SEmFOUd/AI16oG 6TWICfz090cijMcwCGeeKHWLcSzNK0HwpL1bkB/x3tsHHsCqxj2qIUefLlFxSg3t Y/FnQeWn9oPVosBOeZvyVrRomvFaX2vfLuJ9IQU1Ym+42u0ho2Iv1nJ3VV3eQMxv xqCmo+i9pE5iofPZql7tBdqLnfm2+eb6gJL/nQvRCIOh7Tc2QBg= =KBso -----END PGP SIGNATURE----- --nextPart1947978.Q09807J11d--