SSH to TPlink TL-SX3008F from pfSense console

Note: scroll to bottom of the post for the final solution.

When you try to login to TPlink switch from pfSense console you get the following error:

ssh admin@10.10.10.1
Unable to negotiate with 10.10.10.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Next you try to enable diffie-hellman group, another error pops up:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@10.10.10.1
Unable to negotiate with 10.10.10.1 port 22: no matching host key type found. Their offer: ssh-dss

Now you also include ssh-dss, but you still get an error:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss admin@10.10.10.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
SHA256:h1gD8T017XJ19NjY3wD9Vob81jHYUJubf2M23KLU7OU.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
DSA host key for 10.10.10.1 has changed and you have requested strict checking.
Host key verification failed.

Now you disable strict host checking and you get the following error:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -o StrictHostKeyChecking=no admin@10.10.10.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
SHA256:h1gD8T017XJ19NjY3wD9Vob81jHYUJubf2M23KLU7OU.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,password).

The final working solution, enable diffie and ssh-dss, disable strict host checking and redirect known hosts file to /dev/null:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PasswordAuthentication=yes admin@10.10.10.1

Leave a Reply

Your email address will not be published.