This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dandras
Explorer
‎2020-12-10 09:54 AM

ssh: no kex alg

I'm not able to ssh into my firewall from any modern openssl client.  

 

justin@netconf:~/checkpoint-backups$ ssh fwadmin@fw
Unable to negotiate with 10.100.253.192 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

 

I've tried to manually add the kex strings to sshd_config but it says bad configuration when I try to restart sshd.

 

Starting sshd: /etc/ssh/sshd_config: line 12: Bad configuration option: KexAlgorithms
/etc/ssh/sshd_config: terminating, 1 bad configuration options

 


The host i'm sshing from supports the DH sha1 ciphers.

 

justin@netconf:~/checkpoint-backups$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020

justin@netconf:~/checkpoint-backups$ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup4591761x25519-sha512@tinyssh.org

 


kex string

 

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

 

 

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-12-11 06:51 PM

Note that versions prior to R80.40 use a fairly old version of OpenSSH that may not support the ciphers you attempted to configure.
You will need to either upgrade to R80.40+ which uses a newer OpenSSH with support for additional ciphers or configure your client to use a supported cipher.

0 Kudos
Ryan_Puckett
Employee
Employee
‎2021-06-08 09:13 PM

I've been running into this more and more, including older routers and switches. Another option, instead of modifying the sshd_config, is to use user specific configurations:

/home/user/.ssh/config

Host gw01
   HostName 192.168.1.1
   User admin
   KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events