Windows SSH ‘No Matching Key’

No Matching Key KB ID 0001900

Problem : No Matching Key

Typically I see this problem on my mac or within various Linux distributions. I’ve covered extensively how to fix this on a mac in the following article.

macOS – SSH Error ‘No Matching Exchange Method Found’

So when I saw the same question asked for a Windows client, I went and looked, and found some patchy information, so I thought I’d work it out and post it here for you. Essentially you will see an error when attempting to SSH to a device something like one of the following.

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching host key type found. Their offer: ssh-rsa

Solution : No Matching Key

With windows the fix is similar, less secure algorithms and ciphers have been depreciated by Windows, to re-enable them* you need to edit your ssh_config file this file lives in a folder called ssh, which is in a hidden folder on the root of your C Drive called ProgramData. On most Windows machines this file wont exist, but check first to make sure (particularly if you’re on a server that may be running SSH Services).

*Note: They are depreciated for a reason, this weakens your machines security. The following procedure will GLOBALLY allow these depreciated cyphers for all SSH sessions, if you want to operate a little more securely go to the individual SSH config section.

Showing Hidden Files and Folders : No Matching Key

Assuming like me you don’t already have an ssh_config file already then you need to create one and add the connection algorithms required. Open an administrative command window (if you don’t do this you will get access denied errors going forward!) Then execute the following commands.

[box]

copy nul > C:\ProgramData\ssh\ssh_config

notepad C:\ProgramData\ssh\ssh_config

[/box]

Note: If after you execute the first command, you get “copy : Cannot find path ‘C:\Windows\system32\nul’ because it does not exist.” don’t worry, it will still create the file.

A notepad window will open, remove any text withing it and paste in the following.

[box]

MACs hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
PubkeyAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa

[/box]

Save the notepad file then re-try your ssh command, this time it should succeed, or if it errors it will tell you which MAC, KexAlgorithms, or Key algorithm it’s missing that you can paste into the ssh_config file.

Individual Host SSH Settings

Its considered better practice to have a config for each target you will SSH to, for me that’s impractical because I have hundreds of clients and thousands of switches, routers and firewalls. (but you could add them as you go, I suppose). For this procedure you create a config file in your user profile, and in that config file you put the requirements in, on a host-by-host basis.

Firstly create the config file, open an administrative PowerShell window, and execute the following command.

[box]

New-Item -Path $HOME\.ssh\config -ItemType File

[/box]

Then to edit the config file.

[box]

C:\WINDOWS\System32\notepad.exe $HOME\.ssh\config

[/box]

A Notepad window will open with the blank config file, here’s an example of a config for two devices (my test Cisco ASA, and my test core switch).

Example.

[box]

# Config for my test firewall
  Host cisco-asa
  HostName 192.168.254.254
  User petelong
  Port 22
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  KexAlgorithms diffie-hellman-group1-sha1
  HostKeyAlgorithms +ssh-rsa

[/box]

Now simply issue an ssh cisco-asa command.

 

Related Articles, References, Credits, or External Links

SSH: Host Identification Has Changed