tags: ssh
When you try to connect via SSH into some pretty old Linux or BSD box, you are usually greeted with an error:
ssh oldbox.example.com
Unable to negotiate with oldbox port 22: no matching key exchange method found.
Their offer: diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1
In this case, the client and the server can’t agree on the key exchange algorithm. Old FreeBSD 6.0 server(in my case) proposes to use key exchange methods which are disabled by defult in modern SSH because of their weaknesses.
To enable such weak key exchange algorithm run ssh with -o KexAlgorithms option:
ssh -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 oldbox
If you connect to the server on the regular basis, then add to $HOME/.ssh/config file following lines:
Host oldbox
KexAlgorithms +diffie-hellman-group-exchange-sha1
The another problem you can face with while connecting to the old server is no matching cipher found.
ssh oldbox
Unable to negotiate with oldbox port 22: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
You can solve it by providing cipher (with -c option) which remote host supports:
ssh -o KexAlgorithms=diffie-hellman-group1-sha1 \
-c aes128-cbc \
oldbox
And the last one for today is no matching host key type found:
ssh oldbox
Unable to negotiate with oldbox port 22: no matching host key type found.
Their offer: ssh-dss
Add ssh-dss to HostKeyAlgorithms options:
ssh -o HostKeyAlgorithms=+ssh-dss oldbox
To check which ciphers your SSH client supports, run:
ssh -Q cipher