T1500G-10PS - SSH connection: weak diffie-hellman-group1-sha1 key exchange algorithm

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
T1500G-10PS - SSH connection: weak diffie-hellman-group1-sha1 key exchange algorithm
T1500G-10PS - SSH connection: weak diffie-hellman-group1-sha1 key exchange algorithm
2017-12-14 20:20:38
Model :

Hardware Version :

Firmware Version :

ISP :

Hi guys,

i bought a new T1500G-10PS Smart Switch (with actual firmware) for my poe ip cameras. I needed a switch which is configurable via ssh.
Therefore i made a simple
[CODE]ssh admin@[/CODE]
from my macbook which ended in the following error message:
[CODE]Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1[/CODE]

After googling around i found an article where this error is explained with the following sentence:
In this case, the client and server were unable to agree on the key exchange algorithm. The server offered only a single method diffie-hellman-group1-sha1 . OpenSSH supports this method, but does not enable it by default because is weak and within theoretical range of the so-called Logjam attack.


I'm wondering why TP-Link uses an old, weak key exchange algorithm in such a new product?
Can someone explain?

BTW: I managed to connect to the switch with changing the ssh_config File!

Thx
spooniester
1
1
#1
Options
2 Reply
Re:T1500G-10PS - SSH connection: weak diffie-hellman-group1-sha1 key exchange algorithm
2017-12-20 17:35:58

spooniester wrote

Model :

Hardware Version :

Firmware Version :

ISP :

Hi guys,

i bought a new T1500G-10PS Smart Switch (with actual firmware) for my poe ip cameras. I needed a switch which is configurable via ssh.
Therefore i made a simple
[CODE]ssh admin@[/CODE]
from my macbook which ended in the following error message:
[CODE]Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1[/CODE]

After googling around i found an article where this error is explained with the following sentence:


I'm wondering why TP-Link uses an old, weak key exchange algorithm in such a new product?
Can someone explain?

BTW: I managed to connect to the switch with changing the ssh_config File!

Thx
spooniester


I found most of device still using SHA1 also. I have two d-link Layer2 managed switch, the same, I need use this command also.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

Maybe we can suggest TP-LINK to wrote FAQ to share this information to other users.
0
0
#2
Options
Re:T1500G-10PS - SSH connection: weak diffie-hellman-group1-sha1 key exchange algorithm
2017-12-20 18:03:15

TPTHZ wrote

I found most of device still using SHA1 also. I have two d-link Layer2 managed switch, the same, I need use this command also.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost


Yes, even several CISCO switches still use SHA1. Reason for switches using legacy ciphers is that a) embedded devices are - unlike laptops or desktops - most often not running bleeding-edge Linux versions, but a version proofed to be as stable as possible and b) most switches are not used in public WANs except those running at ISPs and public data exchanges. If you are an ISP or expose a switch to the Internet, you almost certainly use other, much more secure means of restricting access to the switch's admin interface, e.g. by using VLANs, port isolation and ACLs. If you are concerned about security of a switch's web UI (!) or CLI interface in a private LAN, you also should not only count on SSH ciphers, given the fact that they are strong only for a limited time until becoming weak.

It is not that easy to port Linux to an embedded device and keep it up-to-date. As for latest Linux versions, security fixes are published every week, sometimes even every day. This includes SSH/TLS fixes, too.

I prefer to run a stable firmware on switches instead of the latest brand-new funky version with features not being used on a particular embedded device. It's already keeping admins busy to update servers with fixes every week and new kernels every 3 months.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
1
1
#3
Options