SSH oh MY: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Have you ever tried to SSH into a server and recieved the following error?

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Well that’s probably becuase you are using a bit of kit with legacy software or firmware.

Then when you try to SSH and you add diffie-hellman-group1-sh1 you get the following back?

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]

Unable to negotiate with 192.168.2.1 port 22: no matching host key type found. Their offer: ssh-rsa

No worries, we can fix that:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa [email protected]

but we could go even wilder:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss,ssh-rsa [email protected]

I’ve not read the specs but there’s obviously a range of cipher configuirations you can set with:

-oKexAlgorithms

-oHostKeyAlgorithms

You can check the config by running:

ssh -Q cipher # ciphers u can use
ssh -Q mac # MAC types
ssh -Q key # Public key
ssh -Q kex # Key Exchange Algos

Hopefully this helps if you are connecting to some older devices!

Creating a tracker and dashboard for Cyber Essentials

PWNDEFND: Known Exploitable Vulnerabilities (KEV) – AKA: Offensive KEV

Related articles