diffie-hellman-group1-sha1 key exchange on Ubuntu - Issues

Question

I've been trying to setup Ansible to connect to some of our legacy production switches to take regular backups. I'm running into the issue that many have faced, for example here.

I've created a file ~/.ssh/config containing

Host 123.123.123.123 KexAlgorithms +diffie-hellman-group14-sha1

This hasn't worked and still throws the error when I try to connect.

I've also added lines into /etc/ssh/ssh_config with no joy.

When I try to connect manually using ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123 I get an error message

Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: ssh-rsa

Does anyone have any suggestions? After trying to set the negotiation server wide and at an adhoc level I'm no closer to getting it working.

Answer 1

The machine to which you're connecting doesn't support any secure algorithms. For key exchange, it seems to only support Diffie-Hellman group 1, which is 1024 bits in size. This provides an inadequate 80-bit security level and is believed to have been broken by major governments.

For the SSH host key algorithm, only ssh-rsa is offered, which is RSA using SHA-1 for signatures. SHA-1 is known to be insecure and collisions can be found for USD 45,000, which is in the budget of any government and many private individuals.

For security, OpenSSH has disabled these algorithms because they should no longer be used. You should upgrade these systems to a securely patched SSH server or replace them. If you need to access them in order to do so, you can do so with the following syntax (note that multiple lines are required):

Host foo.example.com
   KexAlgorithms +diffie-hellman-group1-sha1
   HostKeyAlgorithms +ssh-rsa