Hi All - Just installed thge latest TK LAMP on 386 system...I am connecting with a package that requires diffie-hellman-group1-sha1 and whenever I follow the instructions for adding that option it fails.

$ssh -oKexAlgorithms=+diffie-hellman-group1-sha1

After entering the above, the following is returned:

Unsupported KEX algorithm "+diffie-hellman-group1-sha1"

command-line 0: Bad SSH2 Kex Algorithms '+diffie-hellman-group1-sha1'.

Can anyone provide info on why that algorithm cannot be added?

Please note that I understand the security implications and that this on a private network between machines in a testing environment and, more importantly physically off-line with no connection to internet and that the client (using diffie-hellman) cannot be changed and is a needed tool. So the only alternative is for TK Linux to have diffie-hellman added as an algorithm.  There is no exception. 

You help is very much appreciated!!



Jeremy Davis's picture

Not that I've ever done it, but TurnKey should support what you are trying to do; both as a server and as a client. To prove that please see detail below (from v14.1 TKLDev - but would be consistent across all v14.1 builds):

#client side
ssh -Q kex
# server side
sshd -T | grep kex
kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

Hang on, actually it looks like using the '+' was only introduced in OpenSSH v7.0 but TurnKey only has v6.7:

# ssh -V
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016

So my guess is that the workaround noted here may be what you need?!

Tx - Will try this and see if I can get it to work without the '+'.  I appreciate your suggestion and help Jeremy!

Best regards,


Add new comment