Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 3 of 3
  1. #1
    Junior Member spooniester is on a distinguished road
    Join Date
    Dec 2017
    Posts
    1

    Angry T1500G-10PS - SSH connection: weak diffie-hellman-group1-sha1 key exchange algorithm

    Model :

    Hardware Version :

    Firmware Version :

    ISP : [/COLOR]

    Hi guys,

    i bought a new T1500G-10PS Smart Switch (with actual firmware) for my poe ip cameras. I needed a switch which is configurable via ssh.
    Therefore i made a simple
    Code:
    ssh admin@<ip_of_switch>
    from my macbook which ended in the following error message:
    Code:
    Unable to negotiate with <ip_of_switch> port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
    After googling around i found an article where this error is explained with the following sentence:
    In this case, the client and server were unable to agree on the key exchange algorithm. The server offered only a single method diffie-hellman-group1-sha1. OpenSSH supports this method, but does not enable it by default because is weak and within theoretical range of the so-called Logjam attack.
    I'm wondering why TP-Link uses an old, weak key exchange algorithm in such a new product?
    Can someone explain?

    BTW: I managed to connect to the switch with changing the ssh_config File!

    Thx
    spooniester

  2. #2
    Members TPTHZ is on a distinguished road
    Join Date
    Aug 2017
    Posts
    128
    Quote Originally Posted by spooniester View Post
    Model :

    Hardware Version :

    Firmware Version :

    ISP : [/COLOR]

    Hi guys,

    i bought a new T1500G-10PS Smart Switch (with actual firmware) for my poe ip cameras. I needed a switch which is configurable via ssh.
    Therefore i made a simple
    Code:
    ssh admin@<ip_of_switch>
    from my macbook which ended in the following error message:
    Code:
    Unable to negotiate with <ip_of_switch> port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
    After googling around i found an article where this error is explained with the following sentence:


    I'm wondering why TP-Link uses an old, weak key exchange algorithm in such a new product?
    Can someone explain?

    BTW: I managed to connect to the switch with changing the ssh_config File!

    Thx
    spooniester
    I found most of device still using SHA1 also. I have two d-link Layer2 managed switch, the same, I need use this command also.
    ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

    Maybe we can suggest TP-LINK to wrote FAQ to share this information to other users.

  3. #3
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,312
    Quote Originally Posted by TPTHZ View Post
    I found most of device still using SHA1 also. I have two d-link Layer2 managed switch, the same, I need use this command also.
    ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost
    Yes, even several CISCO switches still use SHA1. Reason for switches using legacy ciphers is that a) embedded devices are - unlike laptops or desktops - most often not running bleeding-edge Linux versions, but a version proofed to be as stable as possible and b) most switches are not used in public WANs except those running at ISPs and public data exchanges. If you are an ISP or expose a switch to the Internet, you almost certainly use other, much more secure means of restricting access to the switch's admin interface, e.g. by using VLANs, port isolation and ACLs. If you are concerned about security of a switch's web UI (!) or CLI interface in a private LAN, you also should not only count on SSH ciphers, given the fact that they are strong only for a limited time until becoming weak.

    It is not that easy to port Linux to an embedded device and keep it up-to-date. As for latest Linux versions, security fixes are published every week, sometimes even every day. This includes SSH/TLS fixes, too.

    I prefer to run a stable firmware on switches instead of the latest brand-new funky version with features not being used on a particular embedded device. It's already keeping admins busy to update servers with fixes every week and new kernels every 3 months.
    Last edited by R1D2; 12-20-2017 at 10:11.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright 1996-2018 TP-LINK Technologies Co., Ltd. All rights reserved.