Skip to end of banner
Go to start of banner

opConfig - Troubleshooting

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Failed to Test Connection for "Node": Unable to negociate with 11.11.11.11 port X: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, but since some of the older algorithms have been found to be weak, not all of them are enabled by default. This page describes what to do when OpenSSH refuses to connect with an implementation that only supports legacy algorithms.

When an SSH client connects to a server, each side offers lists of connection parameters to the other. These are, with the corresponding ssh_config keyword:

  • KexAlgorithms: the key exchange methods that are used to generate per-connection keys
  • HostkeyAlgorithms: the public key algorithms accepted for an SSH server to authenticate itself to an SSH client
  • Ciphers: the ciphers to encrypt the connection
  • MACs: the message authentication codes used to detect traffic modification

For a successful connection, there must be at least one mutually-supported choice for each parameter.

If the client and server are unable to agree on a mutual set of parameters then the connection will fail. OpenSSH (7.0 and greater) will produce an error message like this:

Unable to negotiate with legacyhost: no matching key exchange method found.
Their offer: diffie-hellman-group1-sha1

For the case of the above error message, OpenSSH can be configured to enable the diffie-hellman-group1-sha1 key exchange algorithm (or any other that is disabled by default) using the KexAlgorithms option, either on the command line:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost


or in the ~/.ssh/config file:

Host somehost.example.org
KexAlgorithms +diffie-hellman-group1-sha1


We need to update the ssh service (On the server where the weaker crypto algorithm was allowed in  ~/.ssh/config): 

restart sshd.service 




  • No labels