How to enable diffie-hellman-group1-sha1 key exchange on Debian 8.0?
Clash Royale CLAN TAG#URR8PPP
up vote
41
down vote
favorite
I am unable to ssh to a server that asks for a diffie-hellman-group1-sha1
key exchange method:
ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
How to enable the diffie-hellman-group1-sha1
key exchange method on Debian 8.0?
I have tried (as proposed here) to
add the following lines to my
/etc/ssh/ssh_config
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctrregenerate keys with
ssh-keygen -A
restart ssh with
service ssh restart
but still get the error.
debian ssh openssh key-authentication ssh-agent
add a comment |Â
up vote
41
down vote
favorite
I am unable to ssh to a server that asks for a diffie-hellman-group1-sha1
key exchange method:
ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
How to enable the diffie-hellman-group1-sha1
key exchange method on Debian 8.0?
I have tried (as proposed here) to
add the following lines to my
/etc/ssh/ssh_config
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctrregenerate keys with
ssh-keygen -A
restart ssh with
service ssh restart
but still get the error.
debian ssh openssh key-authentication ssh-agent
I have the same happening to me with Debian 9.
â Rui F Ribeiro
Apr 9 '17 at 14:37
Try this diffie-hellman-group-exchange-sha256
â Miguel
Mar 22 at 16:46
add a comment |Â
up vote
41
down vote
favorite
up vote
41
down vote
favorite
I am unable to ssh to a server that asks for a diffie-hellman-group1-sha1
key exchange method:
ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
How to enable the diffie-hellman-group1-sha1
key exchange method on Debian 8.0?
I have tried (as proposed here) to
add the following lines to my
/etc/ssh/ssh_config
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctrregenerate keys with
ssh-keygen -A
restart ssh with
service ssh restart
but still get the error.
debian ssh openssh key-authentication ssh-agent
I am unable to ssh to a server that asks for a diffie-hellman-group1-sha1
key exchange method:
ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
How to enable the diffie-hellman-group1-sha1
key exchange method on Debian 8.0?
I have tried (as proposed here) to
add the following lines to my
/etc/ssh/ssh_config
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctrregenerate keys with
ssh-keygen -A
restart ssh with
service ssh restart
but still get the error.
debian ssh openssh key-authentication ssh-agent
debian ssh openssh key-authentication ssh-agent
edited Apr 9 '17 at 14:36
Rui F Ribeiro
37k1273117
37k1273117
asked Jan 28 '17 at 20:17
j1088099.mvrht.com.
4581313
4581313
I have the same happening to me with Debian 9.
â Rui F Ribeiro
Apr 9 '17 at 14:37
Try this diffie-hellman-group-exchange-sha256
â Miguel
Mar 22 at 16:46
add a comment |Â
I have the same happening to me with Debian 9.
â Rui F Ribeiro
Apr 9 '17 at 14:37
Try this diffie-hellman-group-exchange-sha256
â Miguel
Mar 22 at 16:46
I have the same happening to me with Debian 9.
â Rui F Ribeiro
Apr 9 '17 at 14:37
I have the same happening to me with Debian 9.
â Rui F Ribeiro
Apr 9 '17 at 14:37
Try this diffie-hellman-group-exchange-sha256
â Miguel
Mar 22 at 16:46
Try this diffie-hellman-group-exchange-sha256
â Miguel
Mar 22 at 16:46
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
57
down vote
accepted
The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
or more permanently, adding
Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1
to ~/.ssh/config
.
This will enable the old algorithms on the client, allowing it to connect to the server.
I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
â Luv33preet
Jun 14 '17 at 9:59
Tried above, but gotUnable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
â ifelsemonkey
Jul 31 at 22:01
@ifelsemonkey thatâÂÂs a different problem, note that the offer you get isnâÂÂt the same as the one in the question.
â Stephen Kitt
Aug 1 at 6:20
Confirmed it was a different problem. I was able to resolve it by adding the following entry into my~/.ssh/config
file.Host 192.168.1.123
and under itCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
.
â ifelsemonkey
Aug 1 at 17:18
add a comment |Â
up vote
12
down vote
I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).
The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1
key exchange method.
After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config
file:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
But a more wide legacy set of changes is (taken from here)
#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
4
Hopefully youâÂÂll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldnâÂÂt be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
â Stephen Kitt
Jun 14 '17 at 11:10
1
This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
â knb
Sep 15 '17 at 12:50
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
57
down vote
accepted
The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
or more permanently, adding
Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1
to ~/.ssh/config
.
This will enable the old algorithms on the client, allowing it to connect to the server.
I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
â Luv33preet
Jun 14 '17 at 9:59
Tried above, but gotUnable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
â ifelsemonkey
Jul 31 at 22:01
@ifelsemonkey thatâÂÂs a different problem, note that the offer you get isnâÂÂt the same as the one in the question.
â Stephen Kitt
Aug 1 at 6:20
Confirmed it was a different problem. I was able to resolve it by adding the following entry into my~/.ssh/config
file.Host 192.168.1.123
and under itCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
.
â ifelsemonkey
Aug 1 at 17:18
add a comment |Â
up vote
57
down vote
accepted
The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
or more permanently, adding
Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1
to ~/.ssh/config
.
This will enable the old algorithms on the client, allowing it to connect to the server.
I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
â Luv33preet
Jun 14 '17 at 9:59
Tried above, but gotUnable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
â ifelsemonkey
Jul 31 at 22:01
@ifelsemonkey thatâÂÂs a different problem, note that the offer you get isnâÂÂt the same as the one in the question.
â Stephen Kitt
Aug 1 at 6:20
Confirmed it was a different problem. I was able to resolve it by adding the following entry into my~/.ssh/config
file.Host 192.168.1.123
and under itCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
.
â ifelsemonkey
Aug 1 at 17:18
add a comment |Â
up vote
57
down vote
accepted
up vote
57
down vote
accepted
The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
or more permanently, adding
Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1
to ~/.ssh/config
.
This will enable the old algorithms on the client, allowing it to connect to the server.
The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
or more permanently, adding
Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1
to ~/.ssh/config
.
This will enable the old algorithms on the client, allowing it to connect to the server.
edited Oct 5 '17 at 7:14
answered Jan 28 '17 at 21:08
Stephen Kitt
149k23329396
149k23329396
I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
â Luv33preet
Jun 14 '17 at 9:59
Tried above, but gotUnable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
â ifelsemonkey
Jul 31 at 22:01
@ifelsemonkey thatâÂÂs a different problem, note that the offer you get isnâÂÂt the same as the one in the question.
â Stephen Kitt
Aug 1 at 6:20
Confirmed it was a different problem. I was able to resolve it by adding the following entry into my~/.ssh/config
file.Host 192.168.1.123
and under itCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
.
â ifelsemonkey
Aug 1 at 17:18
add a comment |Â
I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
â Luv33preet
Jun 14 '17 at 9:59
Tried above, but gotUnable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
â ifelsemonkey
Jul 31 at 22:01
@ifelsemonkey thatâÂÂs a different problem, note that the offer you get isnâÂÂt the same as the one in the question.
â Stephen Kitt
Aug 1 at 6:20
Confirmed it was a different problem. I was able to resolve it by adding the following entry into my~/.ssh/config
file.Host 192.168.1.123
and under itCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
.
â ifelsemonkey
Aug 1 at 17:18
I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
â Luv33preet
Jun 14 '17 at 9:59
I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
â Luv33preet
Jun 14 '17 at 9:59
Tried above, but got
Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
â ifelsemonkey
Jul 31 at 22:01
Tried above, but got
Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
â ifelsemonkey
Jul 31 at 22:01
@ifelsemonkey thatâÂÂs a different problem, note that the offer you get isnâÂÂt the same as the one in the question.
â Stephen Kitt
Aug 1 at 6:20
@ifelsemonkey thatâÂÂs a different problem, note that the offer you get isnâÂÂt the same as the one in the question.
â Stephen Kitt
Aug 1 at 6:20
Confirmed it was a different problem. I was able to resolve it by adding the following entry into my
~/.ssh/config
file. Host 192.168.1.123
and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
.â ifelsemonkey
Aug 1 at 17:18
Confirmed it was a different problem. I was able to resolve it by adding the following entry into my
~/.ssh/config
file. Host 192.168.1.123
and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
.â ifelsemonkey
Aug 1 at 17:18
add a comment |Â
up vote
12
down vote
I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).
The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1
key exchange method.
After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config
file:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
But a more wide legacy set of changes is (taken from here)
#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
4
Hopefully youâÂÂll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldnâÂÂt be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
â Stephen Kitt
Jun 14 '17 at 11:10
1
This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
â knb
Sep 15 '17 at 12:50
add a comment |Â
up vote
12
down vote
I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).
The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1
key exchange method.
After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config
file:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
But a more wide legacy set of changes is (taken from here)
#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
4
Hopefully youâÂÂll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldnâÂÂt be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
â Stephen Kitt
Jun 14 '17 at 11:10
1
This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
â knb
Sep 15 '17 at 12:50
add a comment |Â
up vote
12
down vote
up vote
12
down vote
I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).
The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1
key exchange method.
After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config
file:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
But a more wide legacy set of changes is (taken from here)
#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).
The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1
key exchange method.
After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config
file:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
But a more wide legacy set of changes is (taken from here)
#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
answered Jun 12 '17 at 17:54
arod
22124
22124
4
Hopefully youâÂÂll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldnâÂÂt be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
â Stephen Kitt
Jun 14 '17 at 11:10
1
This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
â knb
Sep 15 '17 at 12:50
add a comment |Â
4
Hopefully youâÂÂll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldnâÂÂt be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
â Stephen Kitt
Jun 14 '17 at 11:10
1
This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
â knb
Sep 15 '17 at 12:50
4
4
Hopefully youâÂÂll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldnâÂÂt be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
â Stephen Kitt
Jun 14 '17 at 11:10
Hopefully youâÂÂll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldnâÂÂt be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
â Stephen Kitt
Jun 14 '17 at 11:10
1
1
This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
â knb
Sep 15 '17 at 12:50
This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
â knb
Sep 15 '17 at 12:50
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f340844%2fhow-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
I have the same happening to me with Debian 9.
â Rui F Ribeiro
Apr 9 '17 at 14:37
Try this diffie-hellman-group-exchange-sha256
â Miguel
Mar 22 at 16:46