How to enable diffie-hellman-group1-sha1 key exchange on Debian 8.0?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
41
down vote

favorite
10












I am unable to ssh to a server that asks for a diffie-hellman-group1-sha1 key exchange method:



ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1


How to enable the diffie-hellman-group1-sha1 key exchange method on Debian 8.0?



I have tried (as proposed here) to




  1. add the following lines to my /etc/ssh/ssh_config



    KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
    Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr



  2. regenerate keys with



    ssh-keygen -A



  3. restart ssh with



    service ssh restart


    but still get the error.











share|improve this question























  • I have the same happening to me with Debian 9.
    – Rui F Ribeiro
    Apr 9 '17 at 14:37










  • Try this diffie-hellman-group-exchange-sha256
    – Miguel
    Mar 22 at 16:46














up vote
41
down vote

favorite
10












I am unable to ssh to a server that asks for a diffie-hellman-group1-sha1 key exchange method:



ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1


How to enable the diffie-hellman-group1-sha1 key exchange method on Debian 8.0?



I have tried (as proposed here) to




  1. add the following lines to my /etc/ssh/ssh_config



    KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
    Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr



  2. regenerate keys with



    ssh-keygen -A



  3. restart ssh with



    service ssh restart


    but still get the error.











share|improve this question























  • I have the same happening to me with Debian 9.
    – Rui F Ribeiro
    Apr 9 '17 at 14:37










  • Try this diffie-hellman-group-exchange-sha256
    – Miguel
    Mar 22 at 16:46












up vote
41
down vote

favorite
10









up vote
41
down vote

favorite
10






10





I am unable to ssh to a server that asks for a diffie-hellman-group1-sha1 key exchange method:



ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1


How to enable the diffie-hellman-group1-sha1 key exchange method on Debian 8.0?



I have tried (as proposed here) to




  1. add the following lines to my /etc/ssh/ssh_config



    KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
    Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr



  2. regenerate keys with



    ssh-keygen -A



  3. restart ssh with



    service ssh restart


    but still get the error.











share|improve this question















I am unable to ssh to a server that asks for a diffie-hellman-group1-sha1 key exchange method:



ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1


How to enable the diffie-hellman-group1-sha1 key exchange method on Debian 8.0?



I have tried (as proposed here) to




  1. add the following lines to my /etc/ssh/ssh_config



    KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
    Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr



  2. regenerate keys with



    ssh-keygen -A



  3. restart ssh with



    service ssh restart


    but still get the error.








debian ssh openssh key-authentication ssh-agent






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 9 '17 at 14:36









Rui F Ribeiro

37k1273117




37k1273117










asked Jan 28 '17 at 20:17









j1088099.mvrht.com.

4581313




4581313











  • I have the same happening to me with Debian 9.
    – Rui F Ribeiro
    Apr 9 '17 at 14:37










  • Try this diffie-hellman-group-exchange-sha256
    – Miguel
    Mar 22 at 16:46
















  • I have the same happening to me with Debian 9.
    – Rui F Ribeiro
    Apr 9 '17 at 14:37










  • Try this diffie-hellman-group-exchange-sha256
    – Miguel
    Mar 22 at 16:46















I have the same happening to me with Debian 9.
– Rui F Ribeiro
Apr 9 '17 at 14:37




I have the same happening to me with Debian 9.
– Rui F Ribeiro
Apr 9 '17 at 14:37












Try this diffie-hellman-group-exchange-sha256
– Miguel
Mar 22 at 16:46




Try this diffie-hellman-group-exchange-sha256
– Miguel
Mar 22 at 16:46










2 Answers
2






active

oldest

votes

















up vote
57
down vote



accepted










The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:



ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123


or more permanently, adding



Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1


to ~/.ssh/config.



This will enable the old algorithms on the client, allowing it to connect to the server.






share|improve this answer






















  • I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
    – Luv33preet
    Jun 14 '17 at 9:59










  • Tried above, but got Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
    – ifelsemonkey
    Jul 31 at 22:01











  • @ifelsemonkey that’s a different problem, note that the offer you get isn’t the same as the one in the question.
    – Stephen Kitt
    Aug 1 at 6:20










  • Confirmed it was a different problem. I was able to resolve it by adding the following entry into my ~/.ssh/config file. Host 192.168.1.123 and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc.
    – ifelsemonkey
    Aug 1 at 17:18


















up vote
12
down vote













I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).



The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1 key exchange method.



After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config file:



#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc


But a more wide legacy set of changes is (taken from here)



#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr





share|improve this answer
















  • 4




    Hopefully you’ll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldn’t be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
    – Stephen Kitt
    Jun 14 '17 at 11:10






  • 1




    This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
    – knb
    Sep 15 '17 at 12:50










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f340844%2fhow-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0%23new-answer', 'question_page');

);

Post as a guest






























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
57
down vote



accepted










The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:



ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123


or more permanently, adding



Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1


to ~/.ssh/config.



This will enable the old algorithms on the client, allowing it to connect to the server.






share|improve this answer






















  • I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
    – Luv33preet
    Jun 14 '17 at 9:59










  • Tried above, but got Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
    – ifelsemonkey
    Jul 31 at 22:01











  • @ifelsemonkey that’s a different problem, note that the offer you get isn’t the same as the one in the question.
    – Stephen Kitt
    Aug 1 at 6:20










  • Confirmed it was a different problem. I was able to resolve it by adding the following entry into my ~/.ssh/config file. Host 192.168.1.123 and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc.
    – ifelsemonkey
    Aug 1 at 17:18















up vote
57
down vote



accepted










The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:



ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123


or more permanently, adding



Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1


to ~/.ssh/config.



This will enable the old algorithms on the client, allowing it to connect to the server.






share|improve this answer






















  • I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
    – Luv33preet
    Jun 14 '17 at 9:59










  • Tried above, but got Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
    – ifelsemonkey
    Jul 31 at 22:01











  • @ifelsemonkey that’s a different problem, note that the offer you get isn’t the same as the one in the question.
    – Stephen Kitt
    Aug 1 at 6:20










  • Confirmed it was a different problem. I was able to resolve it by adding the following entry into my ~/.ssh/config file. Host 192.168.1.123 and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc.
    – ifelsemonkey
    Aug 1 at 17:18













up vote
57
down vote



accepted







up vote
57
down vote



accepted






The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:



ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123


or more permanently, adding



Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1


to ~/.ssh/config.



This will enable the old algorithms on the client, allowing it to connect to the server.






share|improve this answer














The OpenSSH website has a page dedicated to legacy issues such as this one. It suggests the following approach, on the client:



ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123


or more permanently, adding



Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1


to ~/.ssh/config.



This will enable the old algorithms on the client, allowing it to connect to the server.







share|improve this answer














share|improve this answer



share|improve this answer








edited Oct 5 '17 at 7:14

























answered Jan 28 '17 at 21:08









Stephen Kitt

149k23329396




149k23329396











  • I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
    – Luv33preet
    Jun 14 '17 at 9:59










  • Tried above, but got Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
    – ifelsemonkey
    Jul 31 at 22:01











  • @ifelsemonkey that’s a different problem, note that the offer you get isn’t the same as the one in the question.
    – Stephen Kitt
    Aug 1 at 6:20










  • Confirmed it was a different problem. I was able to resolve it by adding the following entry into my ~/.ssh/config file. Host 192.168.1.123 and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc.
    – ifelsemonkey
    Aug 1 at 17:18

















  • I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
    – Luv33preet
    Jun 14 '17 at 9:59










  • Tried above, but got Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
    – ifelsemonkey
    Jul 31 at 22:01











  • @ifelsemonkey that’s a different problem, note that the offer you get isn’t the same as the one in the question.
    – Stephen Kitt
    Aug 1 at 6:20










  • Confirmed it was a different problem. I was able to resolve it by adding the following entry into my ~/.ssh/config file. Host 192.168.1.123 and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc.
    – ifelsemonkey
    Aug 1 at 17:18
















I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
– Luv33preet
Jun 14 '17 at 9:59




I also faced this problem today, but that was due to the network. I changed the network and the issue was gone
– Luv33preet
Jun 14 '17 at 9:59












Tried above, but got Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
– ifelsemonkey
Jul 31 at 22:01





Tried above, but got Unable to negotiate with 192.168.1.123 port 22222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
– ifelsemonkey
Jul 31 at 22:01













@ifelsemonkey that’s a different problem, note that the offer you get isn’t the same as the one in the question.
– Stephen Kitt
Aug 1 at 6:20




@ifelsemonkey that’s a different problem, note that the offer you get isn’t the same as the one in the question.
– Stephen Kitt
Aug 1 at 6:20












Confirmed it was a different problem. I was able to resolve it by adding the following entry into my ~/.ssh/config file. Host 192.168.1.123 and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc.
– ifelsemonkey
Aug 1 at 17:18





Confirmed it was a different problem. I was able to resolve it by adding the following entry into my ~/.ssh/config file. Host 192.168.1.123 and under it Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc.
– ifelsemonkey
Aug 1 at 17:18













up vote
12
down vote













I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).



The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1 key exchange method.



After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config file:



#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc


But a more wide legacy set of changes is (taken from here)



#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr





share|improve this answer
















  • 4




    Hopefully you’ll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldn’t be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
    – Stephen Kitt
    Jun 14 '17 at 11:10






  • 1




    This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
    – knb
    Sep 15 '17 at 12:50














up vote
12
down vote













I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).



The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1 key exchange method.



After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config file:



#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc


But a more wide legacy set of changes is (taken from here)



#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr





share|improve this answer
















  • 4




    Hopefully you’ll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldn’t be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
    – Stephen Kitt
    Jun 14 '17 at 11:10






  • 1




    This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
    – knb
    Sep 15 '17 at 12:50












up vote
12
down vote










up vote
12
down vote









I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).



The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1 key exchange method.



After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config file:



#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc


But a more wide legacy set of changes is (taken from here)



#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr





share|improve this answer












I tried this solution, but my problem was that I had many (legacy) clients connecting to my recently upgraded server (ubuntu 14 -> ubuntu 16).



The change from openssh6 -> openssh7 disabled by default the diffie-hellman-group1-sha1 key exchange method.



After reading this and this I came up with the changes I needed to do to the /etc/ssh/sshd_config file:



#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc


But a more wide legacy set of changes is (taken from here)



#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr






share|improve this answer












share|improve this answer



share|improve this answer










answered Jun 12 '17 at 17:54









arod

22124




22124







  • 4




    Hopefully you’ll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldn’t be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
    – Stephen Kitt
    Jun 14 '17 at 11:10






  • 1




    This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
    – knb
    Sep 15 '17 at 12:50












  • 4




    Hopefully you’ll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldn’t be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
    – Stephen Kitt
    Jun 14 '17 at 11:10






  • 1




    This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
    – knb
    Sep 15 '17 at 12:50







4




4




Hopefully you’ll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldn’t be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
– Stephen Kitt
Jun 14 '17 at 11:10




Hopefully you’ll be able to upgrade your clients at some point, the legacy algorithms were disabled for very good reasons and shouldn’t be re-enabled lightly (you probably realise that, I just thought it worth pointing out for other readers).
– Stephen Kitt
Jun 14 '17 at 11:10




1




1




This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
– knb
Sep 15 '17 at 12:50




This works on the server side (unlike the very similar, accepted answer which focused on the client-side.)
– knb
Sep 15 '17 at 12:50

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f340844%2fhow-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?