Is it possible to configure OpenSSH client to ask instead of directly reject connections to low security servers?

Question

This is the message that Putty/Kitty yields when connecting via SSH to my old Buffalo WHR-HP-G54N router:

The first key-exchange algorithm supported by the server is [Whatever]`, which is below the configured warning threshold. Do you want to continue with this connection?

I know how to configure my OpenSSH client to allow specific algorithms, but isn't there a simple way to obtain some equivalent (and, I must say, comfortable) behavior?

Edit 01: As long as this question asks about any "low security servers" (so non-specific), and in order to avoid answers focused on specific algorithms, I have edited the message box to show it as [Whatever] .

This answers: How to enable diffie-hellman-group1-sha1 key exchange on Debian 8.0? — Thomas Dickey, Jun 15 '21 at 21:10
No, It was not. The question said (from the beginning) "low security servers". The behavior to emulate was (from the beginning) the Putty one, that asks the user for any algorithm. Answers refering to only one algorithm are not adequate here. — Sopalajo de Arrierez, Jun 18 '21 at 12:22

score 3 · Answer 1 · answered Jun 15 '21 at 21:07

Depending on the exact situation there are two ways to tackle this. That said: comfort comes at the expense of security, obviously. But with a router like that you have limited options anyway.

The package openssh-client-ssh1 allows to connect to the deprecated SSH v1 protocol. But obviously you have to use ssh1 in place of ssh whenever using the client. A small price to pay, though.

If you are using a shell capable of creating an alias, you could do something like this for your particular issue (which seems to be SSH v2):

alias SSH-insecure='ssh -o KexAlgorithms=+diffie-hellman-group1-sha1'

I had to deal with a bunch of outdated Linux-based devices some time ago and I threw in one two more options, because IPs would change all the time:

 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

... but YMMV, so use common sense to decide.

Another option, if the IP address and/or name are fixed, would be to create a Host match section in your ~/.ssh/config to imbue the above mentioned options there. Refer to ssh_config(5).

The "-o StrictHostKeyChecking=no" part seems to be a good solution for the problem. Tested working on Ubuntu v20. Thanks you. — Sopalajo de Arrierez, Jun 18 '21 at 10:45

score 0 · Answer 2 · answered Jun 24 '21 at 08:57

There's no functionality in OpenSSH to ask the user interactively like this.

Your best alternative is to write a stanza in ~/.ssh/config matching the hosts you want to use this key-exchange with, and update it each time you find a server that needs to be added.

That would be something like

Host old-machine-1 old-machine-2
KexAlgorithms +diffie-hellman-group1-sha1
IdentityFile ~/.ssh/id_rsa

(I've shown the IdentityFile setting as many older machines don't handle ED25519, for instance)

Is it possible to configure OpenSSH client to ask instead of directly reject connections to low security servers?

2 Answers2