Sometimes you need to connect to older systems but modern Secure Shell will prevent you because of various changes to it's ciphers, HMACs, and key types. In general you should refer to this page that the OpenSSH guys keep maintained to see what options to use.
The problem is that this can take a while to figure out. Every time they revise OpenSSH client, they decide to change the lineup of Ciphers, HMAC, Key exchange, and other algorithms. This is extremely annoying to those of us who aren't long-haired crypto nerds. Personally, I don't believe in half of these “vulnerabilities” because they have no proof of concept exploits anyway.
So, in order to get an Ssh entry that will take off the handcuffs please and simply allow you to login like you did before, you might have to add a configuration entry to your local ~/.ssh/config file or your systems' /etc/ssh/ssh_config file (if you want it to be system wide) I've developed a shell script.
What this shell script will do is to create a configuration entry to enable EVERYTHING that the client can do.
#!/bin/bash # Script to generate an SSH config that enables ALL supported algorithms # from the client's capabilities, including legacy ones. # Outputs to stdout; redirect to ~/.ssh/config or /etc/ssh/ssh_config as needed. # WARNING: Applying globally (/etc/ssh/ssh_config) affects all users and may reduce security. # For user-specific, use ~/.ssh/config with 'Host *' for all hosts. # Run as: ./generate_ssh_config.sh > ~/.ssh/config # Then chmod 600 ~/.ssh/config # Get supported lists CIPHERS=$(ssh -Q cipher | tr '\n' ',' | sed 's/,$//') MACS=$(ssh -Q mac | tr '\n' ',' | sed 's/,$//') KEX=$(ssh -Q kex | tr '\n' ',' | sed 's/,$//') KEYS=$(ssh -Q key | tr '\n' ',' | sed 's/,$//') # Output the config # Use 'Host *' for all hosts; remove if placing in /etc/ssh/ssh_config (global by default) echo "Host *" echo " # Enable ALL supported ciphers (including legacy)" echo " Ciphers $CIPHERS" echo " # Enable ALL supported MACs (including legacy)" echo " MACs $MACS" echo " # Enable ALL supported KexAlgorithms (including legacy)" echo " KexAlgorithms $KEX" echo " # Enable ALL supported HostKeyAlgorithms (including legacy)" echo " HostKeyAlgorithms $KEYS" echo " # Enable ALL supported PubkeyAcceptedAlgorithms (mirror keys)" echo " PubkeyAcceptedAlgorithms $KEYS" echo " # Disable strict host key checking (bypass verification issues with old servers)" echo " StrictHostKeyChecking no" # Notes in comments echo "" echo "# Generated on $(date)" echo "# This config explicitly lists ALL algorithms your OpenSSH supports to maximize compatibility." echo "# It overrides defaults to allow legacy/insecure ones—use at your own risk." echo "# If errors occur, check ssh -V; some distros disable certain legacy algos at compile-time." echo "# Test with: ssh -vvv <host> to debug negotiations."
Once you run that it'll give you some output like this (what it looks like on my Devuan system with OpenSSH 9.x):
Host * # Enable ALL supported ciphers (including legacy) Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com # Enable ALL supported MACs (including legacy) MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com # Enable ALL supported KexAlgorithms (including legacy) KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com # Enable ALL supported HostKeyAlgorithms (including legacy) HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com # Enable ALL supported PubkeyAcceptedAlgorithms (mirror keys) PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com # Disable strict host key checking (bypass verification issues with old servers) StrictHostKeyChecking no # Generated on Mon Oct 6 09:06:26 AM MDT 2025 # This config explicitly lists ALL algorithms your OpenSSH supports to maximize compatibility. # It overrides defaults to allow legacy/insecure ones—use at your own risk. # If errors occur, check ssh -V; some distros disable certain legacy algos at compile-time. # Test with: ssh -vvv <host> to debug negotiations.
The output will change depending on the capabilities of YOUR system, but the point is that you won't hit any nanny-policy by OpenSSH saying something is too old and they won't allow you to use it. This should allow you to connect to older systems from newer systems without being nagged and denied. Obviously, you can change that asterisk (*) in the hostname to make it specific for only one host if you want. However, I don't see the point of disabling these features. A warning would have sufficed but whatever, these are OpenBSD guys we are talking about so they took the maximum security option.