Discussion:
[rancid] Unable to negotiate with .... no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
S***@cpu.ca
2016-04-05 15:58:50 UTC
Permalink
Hi guys,

Since today, I got this error when I trying to connect to my Cisco devices using SSH :

bin/clogin IP
IP
spawn ssh -c aes256-cbc -x -l cpu_backup IP
Unable to negotiate with IP port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Error: Couldn't login: IP

I searched on Google and I saw it was causeds by the latest OpenSSH version but I cant find how to fix it.

In my .cloginrc, I setupped cypertype to aes256-cbc. Should I use another cipher ?

Can you help me a bit plz ?

Thanks!

Sébastien
Nick Hilliard
2016-04-05 16:02:05 UTC
Permalink
Post by S***@cpu.ca
I searched on Google and I saw it was causeds by the latest OpenSSH
version but I cant find how to fix it.
ip ssh dh min size 4096

Nick
S***@cpu.ca
2016-04-05 20:13:34 UTC
Permalink
A special thanks you to Érick for the fix. ;)
I confirm it works as a charm!

Thanks!

Sébastien
De : Eric Krichbaum [mailto:***@bboi.net]
Envoyé : 5 avril 2016 15:18
À : Sebastien Boulianne <***@cpu.ca>
Objet : [rancid] Unable to negotiate with .... no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

The problem isn't the cipher as much as the key exchange. Newer open ssh dropped support (by default) for "insecure" key exchanges (SHA1) which are all that are supported by older ios/etc. gear.

I've been updating code on boxes where possible to eliminate this issue but it's really an easy fix.

In /etc/ssh/ssh_config:

Host *
GSSAPIAuthentication yes
KexAlgorithms +diffie-hellman-group1-sha1

That will add the old kex to your ssh (outbound) and should work ok.

Eric


[Loading Image...]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>

Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
Loading...