macOS – SSH Error ‘No Matching Exchange Method Found’

KB ID 0001245 

Problem

I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Catalina 10.15 the other day. After this, all my SSH sessions refused to connect with this error;

Mac OSX SSH Error no matching key exchange

 

Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1

Note: You may also see the following error;

No Matching Cipher found

Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Solution

This is not Apple’s fault, it’s OpenSSH version 7. SHA1 is weak, so support for it has been removed. Which is fine, but all my clients Cisco Firewalls/Routers/Switches are probably all using  RSA/SHA1. So until they re all updated I’m going to need to re-enable SHA1.

Open a terminal windows and execute the following;

sudo nano /etc/ssh/ssh_config
ENTER YOUR PASSWORD

Locate the line ‘ #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160′ and remove the Hash/Pound sight from the beginning.

Locate the line ‘ #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc’ and remove the Hash/Pound sight from the beginning.

Then paste the following on the end;

HostkeyAlgorithms ssh-dss,ssh-rsa

KexAlgorithms +diffie-hellman-group1-sha1

Like so;

 Theres no reason to reboot, it should work straight away.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

74 Comments

  1. I tried your work around, but it only gives me a different error. Is it possible that something more needs to be changed? Thanks

    Post a Reply
    • Fixed the issue immediately. Thanks

      Post a Reply
    • 2018 and this advice is still good. Fixed my problem too. Thanks!

      Post a Reply
    • nice it works and solve the issues…

      thanks,

      Post a Reply
  2. Thanks a lot for this. Helped me straight away!!!

    Post a Reply
    • No Probs – Glad to help 🙂 P

      Post a Reply
  3. Still perfect.
    Thanks For all.

    Post a Reply
  4. Thanks for this.Work just as described!

    Post a Reply
  5. It didn’t like me allowing that line. It kept throwing up a new error, though to be fair, my line was longer and looked different.

    However, putting the pound sign back and just adding that bit to the bottom worked straight away.

    Thanks for the help.

    Post a Reply
  6. Using all 3 changes will invalidate all host-keys in ‘known_hosts’.
    Only the last line was actually needed for me: KexAlgorithms diffie-hellman-group1-sha1

    With the caveat that this will force all ssh negotiations down to this less secure protocol.

    A better option is to leave /etc/ssh/ssh_config alone alltogether, and create ~/.ssh/config in your home-dir (alongside the known_hosts file)
    In ~/.ssh/config create an entry as follows for the equipment that use this key-exchange. Use as identification the name or ip you actually use on your commandline. (i.e. use ‘192.168.0.1’ or ‘firewall’ if you use ‘ssh 192.168.0.1’ or ‘ssh firewall’)

    #force key exchange:
    host 192.168.0.1 firewall.local firewall
    KexAlgorithms diffie-hellman-group1-sha1

    Post a Reply
    • This is great. I updated my Mac to 10.13.6 on 12/26/2018 and both my SSH and Sublime Text SFTP stopped working. (But my Cyberduck SFTP and Microsoft Remote Desktop continued to work.)

      Using the steps in the initial post didn’t work for me. It resulted in an alert that I would be open to a “Man in the Middle” attack and it didn’t allow me to continue.

      However, this comment helped me fix this issue. Now my SSH and Sublime Text SFTP work by creating a ~/.ssh/config file in my local user folder and adding the lines at the end of the file. (Note: 999.999.9.9 is the IP address of the remote server you want to log into.)

      # force key exchange:
      host 999.999.9.9 firewall.local firewall
      KexAlgorithms diffie-hellman-group1-sha1

      Post a Reply
  7. Thanks a lot, this worked a treat for me. : )

    Post a Reply
  8. Thanks a lot.. IT worked for me..

    Post a Reply
  9. Fabulous. Best Cisco resource on the Internet.

    Post a Reply
  10. Worked PERFECTLY!!!! Thank you.

    Post a Reply
  11. Thanks for the pointers. I only needed the last line in order to SSH onto my legacy Cisco switches. Also, it’s more secure to use a “+” which appends SHA1 to the usable set of algorithms, rather than using SHA1 as the default algorithm.

    KexAlgorithms +diffie-hellman-group1-sha1

    Post a Reply
    • Hi, Great response! I’ve update the article accordingly ThanQ

      P

      Post a Reply
  12. Fantastic! Helped when I needed it!

    Post a Reply
  13. It only happens if the Cisco device is using IOS version 12 or older. Version 15 works fine. If you have smartnet contract with Cisco, just upgrade to the recommended software. Instead of messing around with ssh file, I just ssh to an unix server and then ssh to Cisco device.

    Post a Reply
    • Thats fine, but what about Cisco ASA? The problem is inherently a client one, some people don’t have modern code on their devices.

      Pete

      Post a Reply
  14. We’re going to secure ourselves right out of being able to work!

    Thanks for this – you were the first result when I Googled the problem!

    Post a Reply
  15. Thanks a lot ! It’s work for me.

    Post a Reply
    • Just adding the KexAlgorithms +diffie-hellman-group1-sha1 lines to the end of my ssh_config file worked on Mac OSX 10.12.5 (16F73)

      Thanks !

      Dan

      Post a Reply
  16. Hi,

    I had to do this to make it work:

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
    MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
    KexAlgorithms +diffie-hellman-group1-sha1
    HostkeyAlgorithms ssh-dss,ssh-rsa

    Post a Reply
  17. Thanks so much… this works PERFECTLY.

    Post a Reply
  18. Big ups to my dawg. This worked like a charm. And I’m computer illiterate.

    Post a Reply
    • No worries – Glad to help!

      Pete

      Post a Reply
  19. Just upgraded to High Sierra and started getting this when connecting to an ASA. Thanks for the workaround!

    Post a Reply
  20. This worked perfectly. Have you had any issues getting usb-c port support serial connection? unable to get my macbook pro running Sierra to support belkin usb to serial cable for connection my Cisco console cable. I tried adding drivers and using suggestions on web. None work. Love your input. Maybe you can do a post on it. – thanks Isha

    Post a Reply
    • I’ve not, I’ve got a standard USB converter (bought cheap off eBay) and I’ve never had any problems?

      P

      Post a Reply
  21. So ran into this again after upgrading to High Sierra 10.13.2…

    This time I had to add to /etc/ssh/ssh_config

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    KexAlgorithms diffie-hellman-group1-sha1

    Post a Reply
    • Hi

      I work with 10.3.3 and had problems accessing Cisco equipment in the network. With these two lines it works. Thank you very much everyone for the contribution.

      Post a Reply
  22. Thanks, fixed the issue!

    Post a Reply
  23. Was pulling my hair out with this at work. Issue compounded by everything by being Dockerized with very minimal Linux installations. This was the missing piece of the puzzle. Thank you so much for documenting this and putting it out there!

    Post a Reply
  24. Worked like a charm.

    Thanks a lot!

    Post a Reply
  25. That worked great for my Adtran AOS equipment!

    I was getting an error Bad SSH2 Mac spec ‘hmac-md5,hmac-sha1,hmac-ripemd160’, so I removed hmac-ripemd60, which fixed the issue.

    sudo nano ~/.ssh/config

    #force key exchange:
    host 192.168.1.54
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    MACs hmac-md5,hmac-sha1,umac-64@openssh.com
    KexAlgorithms +diffie-hellman-group1-sha1
    HostkeyAlgorithms ssh-dss,ssh-rsa

    Post a Reply
  26. I am now getting an error “port 22: Invalid key length”

    Post a Reply
    • Check what you are connecting ‘to’ does not have a short key length on the certificate, either 1024 or 768 is too short.

      Post a Reply
  27. Got it to work on 10.13.6 by only using these two lines:
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    HostkeyAlgorithms ssh-dss,ssh-rsa

    Having all four lines resulted in a “connection closed by host” error (too many ciphers offered).
    thanks!

    Post a Reply
  28. Thanks, you are a life saver!!

    Post a Reply
  29. On MarBook Pro 2018.

    Tried the solution, but make the changes in /etc/ssh/ssh_config affect other exciting known_hosts.

    Specifying accepting additional key exchange method in ~/.ssh/config for the target seems the better way.

    Host ASAv
    Hostname myASAv.my.com
    User admin
    KexAlgorithms +diffie-hellman-group1-sha1
    IdentityFile ~/.ssh/asav-private-key

    Then you can ssh
    ssh ASAv

    Post a Reply
    • Hi, if you have one to two ASAs to connect to that fine, I’ve got literally hundreds of the things, across multiple clients 🙂

      Pete

      Post a Reply
  30. Thank You my friend.

    It´s working perfect.

    Thanks a lot.

    Post a Reply
  31. how do you use the shortcut keys at the bottom… I tried using ^6 + enter and does not work…

    Post a Reply
    • CTRL+{The letter indicated}

      P

      Post a Reply
  32. 2019 Still works, fixed my issues.

    Post a Reply
  33. Sep 2019, and the solution works!

    Post a Reply
  34. Just took the leap to Mojave and SSH was broken. Now it is fixed. Way to go!!

    Post a Reply
  35. On Mojave and still works. Thanks!!

    Post a Reply
  36. That fixed it for me! Thanks!

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *