I just got an updated on my macOS Sierra to version 10.12.4 (16E195). Since then, my SSH attempt gets rejected when connecting to our remote CISCO routers. Though, all were running fine before the update.
Here’s the log I was getting:
macOS Sierra is rejecting that cipher type because it is very weak (reference: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice). However, this does not necessary apply for macOS, but any running OS with the latest OpenSSH v7. SHA1 is weak, so support for it has been removed from the newest version of macOS. Because of the latest OpenSSH version, some older (legacy) encryption algorithm have been removed from the default.
But, the problem is, all our devices like Firewalls/Routers/Switches/Servers etc. are probably all using RSA/SHA1. So until they’re all updated I might need to find a solution for that.
I had to downgrade the security. It is not recommended though, but I had to access the routers now 🙁
Enabling the diffie-hellman-group1-sha1 key exchange algorithm using the KexAlgorithms option solves the problem. There are two options to do that. I’m using the first one.
1. Using command line
Like I did and was successfully connected to my device as shown below:
But, there are also some cases where the remote server request a combination of multiple encryption algorithm. You will know this easily if you specify initially a specific algorithm, and then complain about another algorithm offer.
In such case, you need to append once more the option such as below:
2. In the ~/.ssh/config file
To view what configuration is used in the remote device, the following command can be used: