Hi All - Just installed thge latest TK LAMP on 386 system...I am connecting with a package that requires diffie-hellman-group1-sha1 and whenever I follow the instructions for adding that option it fails.

$ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.200

After entering the above, the following is returned:

Unsupported KEX algorithm "+diffie-hellman-group1-sha1"

command-line 0: Bad SSH2 Kex Algorithms '+diffie-hellman-group1-sha1'.

Can anyone provide info on why that algorithm cannot be added?

Please note that I understand the security implications and that this on a private network between machines in a testing environment and, more importantly physically off-line with no connection to internet and that the client (using diffie-hellman) cannot be changed and is a needed tool. So the only alternative is for TK Linux to have diffie-hellman added as an algorithm.  There is no exception. 

You help is very much appreciated!!

 

 

Forum: 
Tags: 
Jeremy Davis's picture

Not that I've ever done it, but TurnKey should support what you are trying to do; both as a server and as a client. To prove that please see detail below (from v14.1 TKLDev - but would be consistent across all v14.1 builds):

#client side
ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group1-sha1
curve25519-sha256@libssh.org
# server side
sshd -T | grep kex
kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

Hang on, actually it looks like using the '+' was only introduced in OpenSSH v7.0 but TurnKey only has v6.7:

# ssh -V
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016

So my guess is that the workaround noted here may be what you need?!

Tx - Will try this and see if I can get it to work without the '+'.  I appreciate your suggestion and help Jeremy!

Best regards,

Michael

Add new comment