Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dandras
Explorer

ssh: no kex alg

I'm not able to ssh into my firewall from any modern openssl client.  

 

justin@netconf:~/checkpoint-backups$ ssh fwadmin@fw
Unable to negotiate with 10.100.253.192 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

 

I've tried to manually add the kex strings to sshd_config but it says bad configuration when I try to restart sshd.

 

Starting sshd: /etc/ssh/sshd_config: line 12: Bad configuration option: KexAlgorithms
/etc/ssh/sshd_config: terminating, 1 bad configuration options

 


The host i'm sshing from supports the DH sha1 ciphers.

 

justin@netconf:~/checkpoint-backups$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020

justin@netconf:~/checkpoint-backups$ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup4591761x25519-sha512@tinyssh.org

 


kex string

 

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

 

 

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Note that versions prior to R80.40 use a fairly old version of OpenSSH that may not support the ciphers you attempted to configure.
You will need to either upgrade to R80.40+ which uses a newer OpenSSH with support for additional ciphers or configure your client to use a supported cipher.

0 Kudos
Ryan_Puckett
Employee
Employee

I've been running into this more and more, including older routers and switches. Another option, instead of modifying the sshd_config, is to use user specific configurations:

/home/user/.ssh/config

Host gw01
   HostName 192.168.1.1
   User admin
   KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events