MAC OSX – SSH Error ‘No Matching Exchange Method Found’

KB ID 0001245 Dtd 13/10/16


I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Sierra version 10.12 the other day. After this, all my SSH sessions refused to connect with this error;

Mac OSX SSH Error no matching key exchange


Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1


This is not Apple's fault, it's OpenSSH version 7. SHA1 is weak, so support for it has been removed. Which is fine, but all my clients Cisco Firewalls/Routers/Switches are probably all using  RSA/SHA1. So until they re all updated I'm going to need to re-enable SHA1.

Open a terminal windows and execute the following;

sudo nano /etc/ssh/ssh_config

Locate the line ' #   MACs hmac-md5,hmac-sha1,,hmac-ripemd160' and remove the Hash/Pound sight from the beginning. Then paste the following on the end;

HostkeyAlgorithms ssh-dss,ssh-rsa

KexAlgorithms +diffie-hellman-group1-sha1


MacOSX Allow SHA1

 Theres no reason to reboot, it should work straight away.

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. I tried your work around, but it only gives me a different error. Is it possible that something more needs to be changed? Thanks

    Post a Reply
    • What Error did you get?


      Post a Reply
  2. Thanks a lot for this. Helped me straight away!!!

    Post a Reply
    • No Probs – Glad to help 🙂 P

      Post a Reply
  3. Still perfect.
    Thanks For all.

    Post a Reply
  4. Thanks for this.Work just as described!

    Post a Reply
    • Worked like a charm – Thanks!

      Post a Reply
  5. It didn’t like me allowing that line. It kept throwing up a new error, though to be fair, my line was longer and looked different.

    However, putting the pound sign back and just adding that bit to the bottom worked straight away.

    Thanks for the help.

    Post a Reply
  6. Using all 3 changes will invalidate all host-keys in ‘known_hosts’.
    Only the last line was actually needed for me: KexAlgorithms diffie-hellman-group1-sha1

    With the caveat that this will force all ssh negotiations down to this less secure protocol.

    A better option is to leave /etc/ssh/ssh_config alone alltogether, and create ~/.ssh/config in your home-dir (alongside the known_hosts file)
    In ~/.ssh/config create an entry as follows for the equipment that use this key-exchange. Use as identification the name or ip you actually use on your commandline. (i.e. use ‘’ or ‘firewall’ if you use ‘ssh’ or ‘ssh firewall’)

    #force key exchange:
    host firewall.local firewall
    KexAlgorithms diffie-hellman-group1-sha1

    Post a Reply
  7. Thanks a lot, this worked a treat for me. : )

    Post a Reply
  8. Thanks a lot.. IT worked for me..

    Post a Reply
  9. Muchas Gracias, Work

    Post a Reply
  10. Fabulous. Best Cisco resource on the Internet.

    Post a Reply
  11. Worked PERFECTLY!!!! Thank you.

    Post a Reply
  12. Thanks for the pointers. I only needed the last line in order to SSH onto my legacy Cisco switches. Also, it’s more secure to use a “+” which appends SHA1 to the usable set of algorithms, rather than using SHA1 as the default algorithm.

    KexAlgorithms +diffie-hellman-group1-sha1

    Post a Reply
    • Hi, Great response! I’ve update the article accordingly ThanQ


      Post a Reply
  13. Fantastic! Helped when I needed it!

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *