OSX 10.11 Bad SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'
17,726
This feature (the +
sign) is supported from openssh 7.0:
If you need to use this specific algorithm, you need to specify it directly in ~/.ssh/config
, such as
KexAlgorithms diffie-hellman-group1-sha1
Related videos on Youtube
Author by
Community
Updated on September 18, 2022Comments
-
Community over 1 year
I have updated my
/etc/ssh/sshd_config
file based on the answers provided here - OSX 10.11 enable ssh diffie-hellman-group1-sha1
https://stackoverflow.com/questions/26424621/algorithm-negotiation-fail-ssh-in-jenkins# Ciphers and keying Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected] #RekeyLimit default none KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
And restarted the SSHD daemeon using these commands:
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
But still I am getting the same error:
id$ git clone ssh://<user>@<host>:<port>/<repo> Cloning into 'xxxxx'... Unsupported KEX algorithm "+diffie-hellman-group1-sha1" /Users/<user>/.ssh/config line 2: Bad SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
I am on OpenSSH_6.9p1, LibreSSL 2.1.8.
Any help here would be much appreciated.
-
Castaglia about 8 yearsFrom the error message, it looks like you might also want to double-check the contents of the
/Users/<user>/.ssh/config
client config file; I suspect that the culprit may lie there, not in the server-side config files.
-
-
tuk0z over 6 years
Bad SSH2 KexAlgorithms '+
here because OpenSSH previous v7 does not "understand" the '+diffie-hellman-group1-sha1' syntax you used. I have that too with a Debian Jessie server. You can cure this by listing your server supported ciphers withssh -Q cipher
, copy/paste the result insshd_config
, then adding your wanted cipher. E.gCiphers [email protected], (...),diffie-hellman-group1-sha1
. Note I've put no "+". -
Jakuje over 6 yearsthat is precisely what I wrote in this answer.
-
tuk0z over 6 yearsYou pint pointed cause of OP's issue ; I explain how to cure it on the server side.
-
Jakuje over 6 years@tuk0z The
ssh -Q cipher
lists client supported ciphers. Thediffie-hellman-group1-sha1
is not a cipher, but key exchange algorithm. Doing as you wrote, would prevent your sshd server from starting, because it is invalid value forciphers
. -
tuk0z about 6 yearsYes. So with OpenSSH previous v7 we need to add any supported Key exchange algorithm using the old syntax, e.g.
KexAlgorithms [default Kex],diffie-hellman-group1-sha1
that is without the+
in /etc/ssh/sshd_config. My bad for mixing Cipher and Kex in my previous comment and thank you @jakuje for noticing!