I need to connect to pretty old Linux and FreeBSD boxes from time to time. Some of them are from year 2003.
When I try to SSH into such old box, I’m usually greeted with the error:
ssh oldbox Unable to negotiate with oldbox port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
In this case, the client and the server can’t agree on the key exchange algorithm. Old FreeBSD server(in my case) proposes to use key exchange methods which are disabled by defult in modern SSH because of their weaknesses.
To enable such weak key exchange algorithm run ssh with -o KexAlgorithms option:
ssh -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 oldbox
If you connect to the server on the regular basis, then add to $HOME/.ssh/config file following lines:
Host oldbox KexAlgorithms +diffie-hellman-group-exchange-sha1
The another problem you can face with while connecting to the old server is no matching cipher found.
ssh oldbox Unable to negotiate with oldbox port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,firstname.lastname@example.org
You can solve it by providing cipher (with -c option) which remote host supports:
ssh -o KexAlgorithms=diffie-hellman-group1-sha1 \ -c aes128-cbc \ oldbox
And the last one for today is no matching host key type found:
ssh oldbox Unable to negotiate with oldbox port 22: no matching host key type found. Their offer: ssh-dss
Add ssh-dss to HostKeyAlgorithms options:
ssh -o HostKeyAlgorithms=+ssh-dss oldbox
To check which ciphers your SSH client supports, run:
ssh -Q cipher