DD-WRT/Optware SSH and “no matching key exchange method found”

Apologies for yet another non-ESP related post, but this is yet another “note to self” which might possibly be of use to others.  It concerns upgrading OpenSSH, only to find that it is now impossible to log in from the newly upgraded machine to some of your “legacy” servers.

The full story… I have an Asus WL500G (v2) wireless router, which I have never used as an access point.  Instead, it sits quietly in a dark corner of the basement with a 2TB USB disk attached saving selected backups-of-backups from the main server.  It doesn’t matter that it’s slow.  It does matter that it sips electricity and is extremely reliable.  In fact it’s so reliable that I tend to forget all about it and it hasn’t had an upgrade in a few years.  I installed DD-WRT on it when I first got it and then added Optware from “frater” to expand the filesystem and be able to add packages that I needed.  It runs a few other services in addition to its backup functions, but basically just sits there and chunters away quite happily and has never failed.

On the other hand, the main, big-disk back-up system and do-everything server has had hardware and software upgrades many times in the same timeframe, the latest of which was a massive downsizing to an ARM based system.  During the course of that upgrade, the OS was updated and, when trying to copy backups of the configuration files from the Asus machine, I discovered that ssh access no longer worked, with the error on the newly upgraded system being:-

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

While it was fairly obvious what the problem was (the “new” version of OpenSSH on the upgraded system doesn’t want to use the insecure, older cypher available on the Asus), the fix wasn’t quite so obvious.  Trying to upgrade the OpenSSH version on the Asus came back with a message telling me that I was already on the latest and greatest version (whereas a quick check with “ssh -V” on the Asus itself showed a compile date of “23 Feb 2007”).  Hmmm…

Optware, Optware-2, OOTRW, son-of-optware, second-cousin-twice-removed-of-optware, et-al have all been discontinued and, in the case of Optware2 anyway, the repository is no longer available.  What to do?  Well the obvious answer is to upgrade the whole system (keeping the backup-repository intact) and start from scratch, maybe with Entware-ng, or maybe just the vanilla OS.  At any rate, what I wanted to do was get the backup repository up to date and safely stored away before starting anything at all.

Another quick search on the ‘net gave me an answer to my question from the opposite end (as it were); modify my ssh parameters on the source machine (the ARM system) to tell it to accept the Diffie-Hellman cypher just from the old Asus and nowhere else.  On the command line this can be accomplished with:-

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 beanbrain@asusddwrt.hogbreath.org

The “-o KexAlgorithms=” option tells ssh to add the Diffie-Hellman to the list of acceptable ciphers and this (rather long) command will log me in successfully to the old Asus.  Yay!

What I’d like to do though, is to re-enable the cron jobs on the ARM machine which transfer the updated backup files automatically to the older Asus.  I’m not going to be there at 03:00 in the morning to type in that long command line.  I could update all of the scripts and cron jobs to use that “-o KexAlgo…” option, but that sounds a little too much like hard work and still means I would have to type it in when manually logging in from ARM to Asus and in any other situation where I need to ssh or scp between the machines.  Luckily ssh comes with a raft of configuration files which allow you to set options like this at a system or user level.  Because this is weakening system security to a certain extent, we want to limit this option to a single user (in this case, “beanbrain”) as well as limiting the lame cypher to a single user/machine combination.  To do this we’ll use an entry in the ${HOME}/.ssh/config file for “beanbrain”.

Before we start, use the command ssh -G google.com | egrep kex  to see what ciphers you currently have available.  Note that there will be Diffie-Hellman ciphers in the list, but not a “diffie-hellman-group1-sha1”.  Now, on to that config file.

-Important-  If the .ssh/config file doesn’t already exist for the user, it must be created with secure access permissions.  If the file is readable and/or writeable by everyone, ssh will refuse to start up and throw this error:-

Bad owner or permissions on ${HOME}/.ssh/config

To fix this you need to change the access permission on the config file to be a lot more restrictive.  I would recommend using read/write for the owner of the file and no-one else.  For our user “beanbrain”, this can be achieved using the command:-

chmod 0600 ~beanbrain/.ssh/config

You should list the new permissions with ls -al following this change and ensure that not only the permissions are correct, but also that the config file is actually owned by the user (and not “root”).

Okay, now that we’ve created the file, lets add the magic line to get things working.  This is the example given in the OpenSSH legacy page:-

Host somehost.example.org
     KexAlgorithms +diffie-hellman-group1-sha1

There are two things to note here.  First, the KexAlgorithms line must start with a TAB  character to delimit it from the “Host” specifiers.  Secondly, the example shows a fully-qualified hostname, but generally on a local network we will be using a simple hostname (when using ssh interactively on the command-line) , but probably fully-qualified in any scripts or cron jobs, too.  Luckily the “Host” line accepts multiple names, separated by a single space, so we can change the example to a real-world entry for our Asus:-

Host  asusddwrt.hogbreath.org  asusddwrt
     KexAlgorithms +diffie-hellman-group1-sha1

Now both our fully-qualified and simple hostnames will both work.

After this change has been completed, our ssh -G google.com | egrep kex command will display the “diffie-hellman-group1-sha1” as the last entry in the cipher list and we’re good to go with both interactive, command-line access and from scripts.

Now that we have the cron jobs working and the backup data copying across, it’s time for me to gird my loins and get stuck into that upgrade.


Multiple ADC inputs, one ESP

I’m not deliberately trying to confuse you, but today’s pointer is to a blog by “Tinkermax” (as opposed to the previous one by “Tinkerman”) and it covers a novel way of adding additionFSA3157, tiny analogue switch chipal ADC inputs to the ESP8266 using a low-cost analogue switch chip.

As you can see from Tinkermax’s photo, the chip itself is absolutely minute (compare the chip to the size of the SMD caps and resistor) and the most difficult part of this project is undoubtedly the soldering.  The FSA3157 chip used only needs a single data line to switch between two inputs (while the FSA3357 can be used to multiplex three inputs, at the cost of an additional data line).  Both chips also work on a fairly wide supply voltage range, so either 3v3 or 5v is fine.

Given the simplicity of the circuit and low cost of the device, this seems like a nice way to go if you need to add extra ADC channels and don’t mind sacrificing one, general-purpose I/O for the switching.   The absence of any requirement for support circuitry for the chip and the single data-line switching may offset the difficulty of soldering.  On the other hand, a couple of P-channel MOSFETs are probably more readily available in most people’s component drawers.

Anyway, it’s an interesting article and Tinkermax also has some nice information on reducing battery draw for the ESP, as well as some nice projects.  Well worth visiting.



Tinkering with the Sonoff TH (by Tinkerman)

Xose Pérez has a great blog (Tinkerman.cat) with lots of hardware projects (as you’d expect from the title).  He’s also heavily into the ESP8266, so it comes as no surprise that he’s already got his hands on the latest offerings from ITead Studio, the Sonoff TH10 and TH16 high power switches.

Annotated board (bottom)Of course, it would be no fun at all if Xose just reviewed the units, but we can trust him to go a lot further than that.  In a recent article, he shows us round the interior of the units (highlighting the differences and the improvements between these new versions and the smaller original) and then demonstrates how to add i2c functionality to the existing sensor socket.  With his small modification, the Sonoff TH goes from being able to interface with either a DS18B20 (One-wire temperature sensor) or AMD2301 (DHT22 style humidity sensor) to being able to handle the whole gamut of i2c enabled input and output devices.

While we’re looking at Xose’s ESP8266 stuff, you might also like to check out his BitBucket repository.  You’ll find an alternative firmware version for the Sonoff series (named “Espurna”), which is probably where the code for the i2c mod will end up, as well as a WiFi manager library (named “JustWifi”), which features automatic AP connection based on signal strength.  There’s a ton of other, interesting stuff in there; some ESP-based and some not.  Definitely a treasure trove.



ESP8266 for the Pi-Zero

Lots and lots of breakout boards recently …but here’s an interesting looking PCB with a slightly different target — to enable WiFi on a Raspberry-Pi Zero.

ESP-12 to RPi-Zero adapter board

It’s obviously an adapter board which would plug directly onto the Pi-Zero headers.  Unfortunately, there’s no further info on the OSH Park page and an Oogleg search doesn’t find anything related, so if anyone knows “Eikacy” or has any other info on the project, please do let us know in the comments field (below).

Update:  As “Gon” points out in his comment below, this is a derivative of Andrew Litt’s RPi-WiFi project (which I certainly remember reading, but don’t recall having seen the original PCB).  All of Andrew’s original work is from his “esp_hat” GitHub available repository.

Anthony Lieuallen has also produced another version, based on Andrew’s original.

And another one for the ESP32, too


Explore Labs ESP3212 breakout board

Just in case you’re looking for a breakout board for your ESP3212 (rather than the boring old ESP8266), Tindie has you covered for that, too.  It doesn’t have the neato prototyping area that our previous offering had (in fact, as far as I can see, it doesn’t have anything at all, except for 0.1″ spaced connectors for all of the ESP32 pins), but it is considerably cheaper, at only $1.49 plus postage.  Of course, first you need that ESP3212.

Another nice breakout board on Tindie

McUdude Breakout Board

This one caught my eye recently, mainly because it’s so versatile.  It accepts several flavours of ESP8266 module, has two voltage regulators to support different input voltage options and also has a prototyping area.  The prototyping area is nicely laid out, with ground and 3v3 rails running up the middle and the broken-out GPIO connections from the ESP lined up along one side.  The only down side is that it is a touch expensive, at $9.90 plus shipping for the populated board (not including an ESP8266 module).  It’s available now on Tindie, shipping from Norway (which unfortunately adds $4 to the price for my particular location).

ESP32 Dev Boards @ CNX Software

CNX Software, a site definitely worth adding to your bookmarks, has just published a short list of ESP32 development boards, gleaned mainly from blogs and social media sites.  Some of them are work-in-progress and some of them appear to be vapourware, but it’s still an interesting article and a nice little teaser for those of us still searching for someone to throw a few dollars at for a real, live ESP32.