How to enable diffie-hellman-group1-sha1 key exchange on Debian 8.0?
Solution 1
The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
or more permanently, adding
Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1
to ~/.ssh/config
.
This will enable the old algorithms on the client, allowing it to connect to the server.
Solution 2
I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).
The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1
key exchange method.
After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config
file:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
But a more wide legacy set of changes is (taken from here)
#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
Solution 3
I was also facing the same issue but resolved it by executing below command. You can do it without restarting SSH server-
Problem:
ssh [email protected]
protocol identification string lack carriage return
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
root@shoesdekho#
Solution:
ssh -o KexAlgorithms=diffie-hellman-group1-sha1 [email protected]
On other system I have observed that using above command also it was not working. Try adding Ciphers with the command. See full command as below-
root@shoesdekho#ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-cbc [email protected]
protocol identification string lack carriage return
Warning: Permanently added '123.123.123.123' (RSA) to the list of known hosts.
Password:
This computer system is restricted to authorized users.
Unauthorized access attempts will be prosecuted.
If unauthorized, disconnect now.
bookmiday#
Related videos on Youtube
j1088099.mvrht.com.
Updated on September 18, 2022Comments
-
j1088099.mvrht.com. over 1 year
I am unable to ssh to a server that asks for a
diffie-hellman-group1-sha1
key exchange method:ssh 123.123.123.123 Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
How to enable the
diffie-hellman-group1-sha1
key exchange method on Debian 8.0?I have tried (as proposed here) to
-
add the following lines to my
/etc/ssh/ssh_config
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
-
regenerate keys with
ssh-keygen -A
-
restart ssh with
service ssh restart
but still get the error.
-
Admin over 3 yearsIn 2020 and Ubuntu 20 I have solved this problem by installing putty, simply: apt install putty then used putty to connect to old server...
-
Admin over 3 yearsI got
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,[email protected]cc.asn.au
so I added the first offer into config and it worked -
Admin almost 3 yearsWhy would you restart your OpenSSH server after tinkering with the client-side config? Admittedly it's the system-wide client-side config, but that still doesn't make it relevant for the server.
-
-
Luv33preet almost 7 yearsI also faced this problem today, but that was due to the network. I changed the network and the issue was gone
-
knb over 6 yearsThis works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
-
eigenfield almost 6 yearsTried above, but got
Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
-
Stephen Kitt almost 6 years@ifelsemonkey that’s a different problem, note that the offer you get isn’t the same as the one in the question.
-
eigenfield almost 6 yearsConfirmed it was a different problem. I was able to resolve it by adding the following entry into my
~/.ssh/config
file.Host 192.168.1.123
and under itCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
. -
DYoung about 5 yearsTo add for future people to find, I was connecting via SSH from a Mac running OpenSSH_7.9p1 to a Cisco 3750 switch running: Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE12, RELEASE SOFTWARE (fc2). I added the following to the client config and was able to ssh in: KexAlgorithms +diffie-hellman-group1-sha1 Ciphers +aes128-cbc
-
raven about 4 years-oKexAlgorithms resulted in the same error for me(alghough I'm using git not ssh). but the ~/.ssh/config way worked.
-
gaoithe over 3 yearsAdd -oCiphers=aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc also on the ssh command-line will make it work if you get the no matching cipher message.
-
Hashman over 3 yearsFor many "internal" servers (where the whole network is locked down to trusted users) diffie-hellman is perfectly sufficient. Disabling it breaks a lot of legacy tools for no good reason, requiring expensive development effort to modify the legacy code that no one has looked at in ages. So having a way to enable it server-side is still valuable.
-
basZero over 3 yearsI have the issue that I can't connect to my new Ubuntu 20 server anymore from my iTerminal App on my iPhone. How do I solve this?
-
Stephen Kitt over 3 years@basZero you’re trying to connect to a server requiring new algorithms with a client which doesn’t support them, which is the opposite scenario to that addressed in my answer; see arod’s answer which explains how to configure your server to allow such connections.
-
Aaron Franke over 3 yearsIs there a way to enable this algorithm globally and permanently, so that I don't need to write this in the command every time?
-
Stephen Kitt over 3 years@Aaron see the middle of the answer, “or more permanently, adding ... to
~/.ssh/config
.” You can specifyHost *
. -
ali about 3 yearsThank you - your second solution (with the addition of the Ciphers) fixed my problem - I was trying unsuccessfully to ssh to an ancient Mac OS X 10.4 (Tiger) G5 system and this actually worked.
-
Bob Stein about 3 years
rsync -e 'ssh -oKexAlgorithms=+diffie-hellman-group1-sha1' ...
for anyone who gets this "Unable to negotiate" error with rsync. -
Samir almost 3 yearsAdding
KexAlgorithms +diffie-hellman-group1-sha1
and the host/server IP on the client side resolved the issue for me. -
Arrow_Raider about 2 yearsJust to put some justification out there: my Cisco devices with SFTP clients use SHA1 and I can't change that. So I needed a server that allows it. I am getting this error: /etc/ssh/sshd_config line 25: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr'