SSH – New clients, legacy hosts

Do you use SSH in your daily activities? Are you using an SSH client that updates automatically? You might find your new client unable to connect to an older host that uses legacy key exchange methods or host key types. This will often show up with errors like these:

Unable to negotiate with WW.XX.YY.ZZ port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1

Unable to negotiate with WW.XX.YY.ZZ port 22: no matching host key type found. Their offer: ssh-rsa

What is happening?

The SSH server in this case is using a key exchange method and host key type that the SSH client no longer supports. This may be due to insecurities (client-side preference) given what the server supports. OS vendors and software developers might be keeping us safe by disabling certain key exchange algorithms or host key algorithms, and others. When our SSH client is updated, it is common to see insecure or legacy functions get disabled by default.

How to fix it?

The best solution is to update the host system if you have control of it. It could be that the host’s sshd_config needs to be updated. Some implementations have configuration commands that modify the SSH server settings. A recent Cisco device previously showed:

FIREWALL# sh run ssh
ssh key-exchange group dh-group14-sha1

Which was updated to the best supported key exchange algorithm:

FIREWALL(config)# ssh key-exchange group dh-group14-sha256

What if we have no control over the ssh server?

In this case, a workaround might be the best fit until you can address the server. You can modify your local SSH client, albeit keep track of your change so you can undo it, so that you don’t leave yourself vulnerable.

Assuming you are on a Mac or Linux based system, modify your ssh_config, typically in /etc/ssh/.

Depending on your error you may need to add KexAlgorithms, HostKeyAlgorithms, or some other keyword. For a full list, take a look at the ssh_config man page. (man ssh_config)

Edit your ssh_config file, likely vi /etc/ssh/ssh_config

For the above example, at the bottom of ssh_config you would add:

KexAlgorithms +diffie-hellman-group14-sha1

HostKeyAlgorithms +ssh-rsa

The + character tells the SSH client to append to the default set. Write your config and try connecting again! Just make sure to clean up that config when finished.