Pulling the problem apart by using just the service that PuTTY was using (in this case ssh on 22) and determining why isn't ssh working to only this server and only for me when it worked for everyone else was the problem.
Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1 Note: You may also see the following error; Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc Solution This is not Apple’s fault, it’s OpenSSH version 7. SHA1 is weak, so support for it has been removed.
Which is fine, but all my clients Cisco Firewalls/Routers/Switches are probably all using RSA/SHA1. So until they re all updated I’m going to need to re-enable SHA1. Open a terminal windows and execute the following. Sudo nano /etc/ssh/sshconfig ENTER YOUR PASSWORD Locate the line ‘ # MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160′ and remove the Hash/Pound sight from the beginning.
![]() ![]()
Locate the line ‘ # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc’ and remove the Hash/Pound sight from the beginning. Then paste the following on the end; HostkeyAlgorithms ssh-dss,ssh-rsa KexAlgorithms +diffie-hellman-group1-sha1 Like so; Theres no reason to reboot, it should work straight away. Related Articles, References, Credits, or External Links NA. Using all 3 changes will invalidate all host-keys in ‘knownhosts’. Only the last line was actually needed for me: KexAlgorithms diffie-hellman-group1-sha1 With the caveat that this will force all ssh negotiations down to this less secure protocol.
A better option is to leave /etc/ssh/sshconfig alone alltogether, and create /.ssh/config in your home-dir (alongside the knownhosts file) In /.ssh/config create an entry as follows for the equipment that use this key-exchange. Use as identification the name or ip you actually use on your commandline. Use ‘192.168.0.1’ or ‘firewall’ if you use ‘ssh 192.168.0.1’ or ‘ssh firewall’) #force key exchange: host 192.168.0.1 firewall.local firewall KexAlgorithms diffie-hellman-group1-sha1.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |