In this instance, the client and server were unable to agree on the key exchange algorithm. The server offered just a single way
diffie-hellman-group1-sha1. OpenSSH supports this system, however does not enable it by default cause is weak and within theoretical range of the nominal Logjam attack.
The best solution for these failures is to upgrade the software at the other end. OpenSSH just disables algorithms that we actively recommend against using cause they are known to be weak. In some instances, this may not be instantly possible so you may require to temporarily re-enable the weak algorithms to keep access.
For the instance of the above error message, OpenSSH can be configured to enable the
diffie-hellman-group1-sha1 key exchange algorithm (or any other that is disabled by default) employing the
KexAlgorithms option - else on the command-line:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost
or in the
The '+' before the list notify ssh to connect the algorithm to the client's default set rather than replacing the default. By connecting, you will automatically upgrade to the best supported algorithm at the time the server starts supporting it.
Other instance, this time where the client and server fail to agree on a public key algorithm for host authentication:
Unable to negotiate with legacyhost: no matching host key type found. Their offer: ssh-dss
OpenSSH 7.0 and greater likewise disable the
ssh-dss (DSA) public key algorithm. It dizzy weak and we recommend against its use. It can be re-enabled employing the
HostKeyAlgorithms configuration option:
ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost
or in the
Relying on the server configuration, it's possible for other link parameters to fail to deal. You may found the
MACs configuration options necessary for enabling these. It's also practical to query which algorithms ssh supports:
ssh -Q cipher # List supported ciphers
ssh -Q mac # List supported MACs
ssh -Q key # List supported public key types
ssh -Q kex # List supported key exchange algorithms
Ultimately, it's also practical to query the configuration that ssh is rally employing when trying to connect to a specific host, by employing the
ssh -G email@example.com
which will list all the configuration options, along the chosen values for the
The OpenSSH website has a page devoted to succession issues such as this one. It indicates the following approach, on the client:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 22.214.171.124
or Major permanently, including
This will enable the used algorithms on the client, approving it to link to the server.