Connect to old SSH server

tags: ssh

I need to connect to pretty old Linux and FreeBSD boxes from time to time. Some of them are from year 2003.

When I try to SSH into such old box, I'm usually greeted with the error:

ssh oldbox

Unable to negotiate with oldbox port 22: no matching key exchange method found.
Their offer: diffie-hellman-group-exchange-sha1,
             diffie-hellman-group14-sha1,
             diffie-hellman-group1-sha1

In this case, the client and the server can't agree on the key exchange algorithm. Old FreeBSD server(in my case) proposes to use key exchange methods which are disabled by defult in modern SSH because of their weaknesses.

To enable such weak key exchange algorithm run ssh with -o KexAlgorithms option:

ssh -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 oldbox

If you connect to the server on the regular basis, then add to $HOME/.ssh/config file following lines:

Host oldbox
    KexAlgorithms +diffie-hellman-group-exchange-sha1

The another problem you can face with while connecting to the old server is no matching cipher found.

ssh oldbox

Unable to negotiate with oldbox port 22: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
             aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

You can solve it by providing cipher (with -c option) which remote host supports:

ssh -o KexAlgorithms=diffie-hellman-group1-sha1 \
    -c aes128-cbc \
    oldbox

And the last one for today is no matching host key type found:

ssh oldbox

Unable to negotiate with oldbox port 22: no matching host key type found.
Their offer: ssh-dss

Add ssh-dss to HostKeyAlgorithms options:

ssh -o HostKeyAlgorithms=+ssh-dss oldbox

To check which ciphers your SSH client supports, run:

ssh -Q cipher

Useful links