Mac OS Sierra – No matching key exchange method found

I’ve been running into this issue when attempting to connect to some of my Cisco equipment over SSH. I found this article by Kevin G. – in which he described what was going on ¬†and how to work around it. This isn’t my work, I’m basically referencing his article here verbatim.

The problem is that OpenSSH 7 has deprecated the use of certain encryption algorithms. The algorithm that my 4507 Core Switch supports is diffie-hellman-group1-sha1. This encryption algorithm as been removed from the default in OpenSSH 7. Therefore when you attempt to connect you will receiving the following error.

Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Unfortunatly, Kevin says that the way to get around this is to make your connection sting extremely long and difficult so that you can¬†manually tell OpenSSH to use the supported encryption algorithm. He didn’t actually say that, but that’s what has to happen. If you’re a mac user, an easy way to get around having to type in that connection string every time is to create an alias in your .bash_profile. I’ll show you what mines looks like in a second.

First you should see what encryption algorithms the devices you’re trying to connect to supports if you’re unsure. You can do this by typing the following.

ssh -p22 -G user@<IP_Address>

It will display a bunch of output, but what you’ll want to look for is the line for kexalgorithms


So in order to force OpenSSH 7 to use a specific algorithm, you can use the following line.

ssh -p22 -o KexAlgorithms=+diffie-hellman-group1-sha1 user@ipaddress

Since I refuse to type all of this everytime I want to connect to a device, I will edit my .bash_profile.

alias wrncore=’ssh -p22 -o KexAlgorithms=+diffie-hellman-group1-sha1 aburns@′

Once i save that and restart terminal, I can now connect to the switch with no issues by simply typing wrncore.



Leave a Reply

Your email address will not be published. Required fields are marked *