Insert the following in /etc/ssh/ssh_config to apply it system wide or ~/.ssh/config for just your user. It will enable most algorithms that older devices may need.
Host *
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
You might get the following error when accessing old SSH servers on Fedora or other RedHat based distributions with weaker keys.
Bad server host key: Invalid key length
To allow these weaker keys, update the crypto policies:
vwenberg@fedora:~/build/dog$ sudo update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
Information below is for further reference. The previous code block should take care of most ciphers that most people will ever need. Keyword, “most”.
When connecting via SSH to older systems who do not support newer ciphers, you will sometimes get the following error:
Unable to negotiate with 10.192.0.47 port 22: no matching key exchange method
found. Their offer: diffie-hellman-group14-sha1
To permanently enable support for this cipher, you need to add the following line to either/etc/ssh/ssh_config
to enable it for all accounts or ~/.ssh/config
for just your account.
Host *
KexAlgorithms +diffie-hellman-group14-sha1
You can change Host *
to specify a specific IP. Ex: Host 111.111.111.111
.
Catchall block to enable most key exchange methods. Add the following to /etc/ssh/ssh_config
.
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Then regenerate keys with …
ssh-keygen -A
OpenSSH also rightly has deprecated SHA1, but if you get the following error …
Unable to negotiate with <ip address> port 22: no matching host key type found. Their offer: ssh-rsa
Add the following to your ssh_config.
HostkeyAlgorithms +ssh-rsa
OpenSSH will not also not accept key lengths less than 1024 bits and you will get the following error when connecting.
ssh_dispatch_run_fatal: Connection to 192.168.7.6 port 22: Invalid key length
To connect to these servers, install the openssh-client-ssh1 on Ubuntu and connect with …
apt install openssh-client-ssh1
ssh1 user@<ip address>
More docs from OpenSSH Legacy Options.