• Register
0 votes

Problem :

I am trying to ssh to the server but that is asking for the diffie-hellman-group1-sha1 key exchange method as below:

Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1


How can I enable the diffie-hellman-group1-sha1 key exchange method on the Debian 8.0?

6 5 3
7,540 points

Please log in or register to answer this question.

2 Answers

0 votes

Solution :

The OpenSSH website has the page dedicated to the legacy issues such as the above one. It suggests the below approach, on ta client:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1

Or more permanently you can add


KexAlgorithms +diffie-hellman-group1-sha1


to the ~/.ssh/config.

This will help you in enabling your old algorithms on a client, by allowing it to simply connect to a server.


 My problem was similar to your problem I had many (legacy) clients connecting to the recently upgraded server (i.e. ubuntu 14 -> ubuntu 16).

My change from openssh6 -> openssh7 completely disabled by default a diffie-hellman-group1-sha1 key exchange method.

After doing lot of research I came up with my changes which I needed to do to a /etc/ssh/sshd_config file as below :

​#Legacy changes

KexAlgorithms +diffie-hellman-group1-sha1

Ciphers +aes128-cbc

And the more wide legacy set of changes as below:

​#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr



It resolved my issue.

9 7 4
38,600 points
0 votes


In this instance, the client and server were unable to agree on the key exchange algorithm. The server offered just a single way diffie-hellman-group1-sha1. OpenSSH supports this system, however does not enable it by default cause is weak and within theoretical range of the nominal Logjam attack.

The best solution for these failures is to upgrade the software at the other end. OpenSSH just disables algorithms that we actively recommend against using cause they are known to be weak. In some instances, this may not be instantly possible so you may require to temporarily re-enable the weak algorithms to keep access.

For the instance of the above error message, OpenSSH can be configured to enable the diffie-hellman-group1-sha1 key exchange algorithm (or any other that is disabled by default) employing the KexAlgorithms option - else on the command-line:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

or in the ~/.ssh/config file:

Host somehost.example.org
	KexAlgorithms +diffie-hellman-group1-sha1

The '+' before the list notify ssh to connect the algorithm to the client's default set rather than replacing the default. By connecting, you will automatically upgrade to the best supported algorithm at the time the server starts supporting it.

Other instance, this time where the client and server fail to agree on a public key algorithm for host authentication:

Unable to negotiate with legacyhost: no matching host key type found. Their offer: ssh-dss

OpenSSH 7.0 and greater likewise disable the ssh-dss (DSA) public key algorithm. It dizzy weak and we recommend against its use. It can be re-enabled employing the HostKeyAlgorithms configuration option:

ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost

or in the ~/.ssh/config file:

Host somehost.example.org
	HostKeyAlgorithms +ssh-dss

Relying on the server configuration, it's possible for other link parameters to fail to deal. You may found the Ciphers and/or MACs configuration options necessary for enabling these. It's also practical to query which algorithms ssh supports:

ssh -Q cipher       # List supported ciphers
ssh -Q mac          # List supported MACs
ssh -Q key          # List supported public key types
ssh -Q kex          # List supported key exchange algorithms

Ultimately, it's also practical to query the configuration that ssh is rally employing when trying to connect to a specific host, by employing the -G option:

ssh -G user@somehost.example.com

which will list all the configuration options, along the chosen values for the CiphersMACsHostKeyAlgorithms and KexAlgorithms parameters.

The OpenSSH website has a page devoted to succession issues such as this one. It indicates the following approach, on the client:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1

or Major permanently, including

    KexAlgorithms +diffie-hellman-group1-sha1

to ~/.ssh/config.

This will enable the used algorithms on the client, approving it to link to the server.

10 6 4
31,120 points

Related questions

0 votes
1 answer 10 views
Problem: is there any experet who could help me ? No matching key exchange method found. their offer: diffie-hellman-group1-sha1.
asked Mar 6 Wafa Abu Yousef 6.1k points
1 vote
1 answer 1 view
1 view
Problem : This is the first time I've tried to push to heroku. ssh -vvv *Emails are not allowed*Return : OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011 debug1: Reading configuration data /etc/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv ... file ~/.ssh/id_dsa type -1 debug1: identity file ~/.ssh/id_dsa-cert type -1 ssh_exchange_identification: read: Connection reset by peer
asked 6 days ago Shovo210 13.3k points
0 votes
1 answer 21 views
Problem: could not open a connection to your authentication agent.
asked Feb 24 Dan phillip 4.7k points
0 votes
1 answer 4 views
Problem: While I'm trying to visit a specific website I'm getting ERR_INVALID_ARGUMENT error. Here is the problem: "Server has a weak ephemeral Diffie-Hellman public key".
asked Mar 15 ummesalma 24.5k points
0 votes
1 answer 65 views
Problem : I guess Chrome have released an update over the past week. And this update has caused at least 100 of our internal applications to throw the exception shown below. The solutions I have found over the Internet, talk about updating the ... there anyone who is aware of a similar fix in Chrome? Error Server has a weak ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
asked Nov 25, 2019 alecxe 7.5k points
0 votes
1 answer 1 view
1 view
Problem: Please solve it … Because I am unable to find out the solution... what hex code is associated with a linux swap type partition
asked Apr 3 Ifra 24.4k points
0 votes
1 answer 4 views
Problem: On Debian, when the machine is booted, it shows an error: [Firmware Bug]: TSC_DEADLINE disabled due to Errata; please update microcode to version: 0xb2 (or later)
asked Mar 17 ummesalma 24.5k points
0 votes
1 answer 659 views
Problem : I am facing a strange MySQL error may be it is related to the database's read-only flag. The Web application that is using the MySQL is running on Debian 7.9. It was running well but suddenly started attempting to access the application powered website ... - SQLSTATE[HY000]: General error: 1290 The MySQL server is running with the --read-only option so it cannot execute this statement
asked Nov 20, 2019 peterlaw 6.9k points
0 votes
1 answer 2 views
Problem: Can anyone suggest a solution,"What does an ssh key look like?"
asked 5 days ago sumaiya simi 9.9k points
0 votes
1 answer 3 views
Problem: Can somebody help me to fix the statement>enter your password for the ssh key id_rsa?
asked 6 days ago ashik 11.2k points