macOS – SSH Error ‘No Matching Exchange Method Found’

Mac SSH Error KB ID 0001245 

Problem

Certified working all the way up to macOS Ventura version 13.6
Certified working all the way up to macOS Sonoma version 14.1

I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Catalina 10.15 the other day. After this, all my SSH sessions refused to connect with this error;

 

Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1

Note: You may also see the following error;

Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Update: 10/04/20: With newer equipment you may see the following error;

Unable to negotiate with x.x.x.x port 22: no matching MAC found Their offer: hmac-sha2-256

Update 08/12/21: With newer Cisco equipment you may see the following error;

Unable to negotiate with x.x.x.x.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Mac SSH Error – Fix

WARNING: My usual fix for this is to edit the macs ssh_config file directly and allow the older (less secure) connection methods. It has been (correctly) pointed out, that this is the ‘least preferred‘ method, as it will allow these less sure methods for ALL SSH connections. The preferred fix, is to create a new file in your own home folder, with the connection settings for EACH SSH CONNECTION. However, I manage hundreds of firewalls. routers and switches so that method is a little unwieldy for me. But I will include it at the end of the article, for the more security conscious of you.

Not Apple’s fault to be fair, it’s OpenSSH version 7. SHA1 is weak, so support for it has been removed. Which is fine, but all my clients Cisco Firewalls, Routers, Switches are probably all using  RSA/SHA1. So until they re all updated I’m going to need to re-enable SHA1.

Open a terminal windows and execute the following;

[box]

sudo nano /etc/ssh/ssh_config
ENTER YOUR PASSWORD

[/box]

Locate the line ‘ #   MACs hmac-md5,hmac-sha1,hmac-sha2-256,umac-64@openssh.com,hmac-ripemd160′ and remove the Hash/Pound sight from the beginning, and add the extra hashing algorithm that I’ve shown above in red. 

Locate the line ‘ #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc’ and remove the Hash/Pound sight from the beginning.

Then paste the following on the end;

HostkeyAlgorithms ssh-dss,ssh-rsa

KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

Like so;

Mac SSH Error – Quitting Nano

To quit nano, use the Ctrl-X key combination. because you are working on has been modified since the last time you saved it, you will be prompted to save the file first. Type y to save the file.

Theres no reason to reboot, it should work straight away.

But Wait – Theres More!

It’s going to happen every time you upgrade your mac, I’ve started taking a backup of the ssh_config file, then I can just restore it back again, like so;

Backup macOS SSH Settings & Ciphers

[box]

sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

[/box]

Restore macOS SSH Settings & Ciphers

[box]

sudo rm /etc/ssh/ssh_config
sudo mv /etc/ssh/ssh_config.bak /etc/ssh/ssh_config
sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

[/box]

Mac SSH Error (The More Secure & Preferred) Fix

Using this method you will create a connection (entry) for each asset you want to connect to. This will be saved in your Home directory so if multiple people use the Mac you will need to do this for each user.

Firstly create a config file in you home directory.

[box]

sudo nano ~/ssh/config

[/box]

What this does is create a blank file that you can then create an entry for each of the assets you want to connect to. Firstly specify the hostname, then the settings for that particular asset, like so:

[box]

Host YOUR-SWITCH
User YOUR-USER
port 22
KexAlgorithms +diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Ciphers +aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

[/box]

Note: Simply add new host entries at a new line in the SAME config file.

Related Articles, References, Credits, or External Links

NA