SSH diffie-hellman-group1 Workaround

At my job I work with a mix of old and new wireless equipment. Some of the old stuff, such as Ubiquiti Nanostation2s, may not automatically let you ssh into them from newer workstations due these old devices using old / weak / outdated encryption algorithms, which newer operating systems tend to disable by default. If you’ve run into this, you’ll probably see a message along these lines:

user@host:~$ ssh user@olddevice
Unable to negotiate with olddevice port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

As per the OpenSSH Legacy page, which I used at first until it became too annoying, you can just copy the string they share and append the user@olddevice, then log in as you’d expect:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@olddevice

To make things even easier, if you’re on Linux, especially if you may periodically need to SSH into a legacy device, is to add the necessary lines to your .ssh/config file, as such:

user@host:~$ cat .ssh/config
Host 192.168.111.101
	KexAlgorithms +diffie-hellman-group1-sha1
	Ciphers +aes256-cbc
Host 192.168.111.102
	KexAlgorithms +diffie-hellman-group1-sha1
	Ciphers +aes256-cbc
Host 192.168.111.103
        KexAlgorithms +diffie-hellman-group1-sha1
        Ciphers +aes256-cbc

For whatever reason, I wasn’t able to get the example config offered on the OpenSSH Legacy page to work on my old machine, so after some time and annoyances in looking for the exact string to add to the ssh command every few months when I needed it, I finally worked out the above from some other source.

There may be some other, similar errors you encounter that may be answered by using the OpenSSH Legacy page information. My usage and need is limited to logging into older Ubiquiti radios where the last-available firmware update was from 2015. In my case, I’m not worried if my connection to a radio isn’t secure — I log into these old devices to run iwconfig or athstats — to get some wireless statistics. If you’re doing something with sensitive information, you may want to try and use the strongest encryption algorithm that your old device will accept.

I am by no means an expert or really even vaguely familiar with this, just a random person who stumbled on some info that helped solve a problem I had. However, if you have any questions, I’ll see what I can do to help.

Related Articles:

Posted on Published

Leave a Reply

Your email address will not be published. Required fields are marked *