Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

The Problem

I just got an updated on my macOS Sierra to version 10.12.4 (16E195). Since then, my SSH attempt gets rejected when connecting to our remote CISCO routers. Though, all were running fine before the update.

Here’s the log I was getting:

Awals-MacBook-Air:~ awal$ ssh awal@10.55.11.43
Unable to negotiate with 10.55.11.43 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Reason

macOS Sierra is rejecting that cipher type because it is very weak (reference: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice). However, this does not necessary apply for macOS, but any running OS with the latest OpenSSH v7. SHA1 is weak, so support for it has been removed from the newest version of macOS. Because of the latest OpenSSH version, some older (legacy) encryption algorithm have been removed from the default.

But, the problem is, all our devices like Firewalls/Routers/Switches/Servers etc. are probably all using  RSA/SHA1. So until they’re all updated I might need to find a solution for that.

Solution

I had to downgrade the security. It is not recommended though, but I had to access the routers now 🙁

Enabling the diffie-hellman-group1-sha1 key exchange algorithm using the KexAlgorithms option solves the problem. There are two options to do that. I’m using the first one.

1. Using command line

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 username@host

Like I did and was successfully connected to my device as shown below:

Awals-MacBook-Air:~ awal$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 awal@10.55.11.43
The authenticity of host ‘10.55.11.43 (10.55.11.43)’ can’t be established.
RSA key fingerprint is SHA256:6fPLUs8/o0AsaSyXnQtdl6ivQnuvKM5ShFsViIsoPoc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.55.11.43’ (RSA) to the list of known hosts.
awal@10.55.11.43’s password:
RP/0/RSP0/CPU0:BdREN#

But, there are also some cases where the remote server request a combination of multiple encryption algorithm. You will know this easily if you specify initially a specific algorithm, and then complain about another algorithm offer.

Awals-MacBook-Air:~ awal$ ssh awal@10.55.11.43
Unable to negotiate with 10.55.11.43 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Awals-MacBook-Air:~ awal$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 awal@10.55.11.43
Unable to negotiate with 10.55.11.43 port 22: no matching host key type found. Their offer: ssh-dss

In such case, you need to append once more the option such as below:

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss username@host

2. In the ~/.ssh/config file

Host somehost.example.org KexAlgorithms +diffie-hellman-group1-sha1

To view what configuration is used in the remote device, the following command can be used:

ssh -G username@host

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.