Mac OS Sierra – No matching key exchange method found

I’ve been running into this issue when attempting to connect to some of my Cisco equipment over SSH. I found this article by Kevin G. – itechlounge.net in which he described what was going on ¬†and how to work around it. This isn’t my work, I’m basically referencing his article here verbatim.

The problem is that OpenSSH 7 has deprecated the use of certain encryption algorithms. The algorithm that my 4507 Core Switch supports is diffie-hellman-group1-sha1. This encryption algorithm as been removed from the default in OpenSSH 7. Therefore when you attempt to connect you will receiving the following error.

Unable to negotiate with 10.10.254.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Unfortunatly, Kevin says that the way to get around this is to make your connection sting extremely long and difficult so that you can¬†manually tell OpenSSH to use the supported encryption algorithm. He didn’t actually say that, but that’s what has to happen. If you’re a mac user, an easy way to get around having to type in that connection string every time is to create an alias in your .bash_profile. I’ll show you what mines looks like in a second.

First you should see what encryption algorithms the devices you’re trying to connect to supports if you’re unsure. You can do this by typing the following.

ssh -p22 -G user@<IP_Address>

It will display a bunch of output, but what you’ll want to look for is the line for kexalgorithms

kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

So in order to force OpenSSH 7 to use a specific algorithm, you can use the following line.

ssh -p22 -o KexAlgorithms=+diffie-hellman-group1-sha1 user@ipaddress

Since I refuse to type all of this everytime I want to connect to a device, I will edit my .bash_profile.

alias wrncore=’ssh -p22 -o KexAlgorithms=+diffie-hellman-group1-sha1 aburns@10.10.254.1′

Once i save that and restart terminal, I can now connect to the switch with no issues by simply typing wrncore.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *