• Register
0 votes
2k views

Problem :

I am trying to ssh to the server but that is asking for the diffie-hellman-group1-sha1 key exchange method as below:

​ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1



​

How can I enable the diffie-hellman-group1-sha1 key exchange method on the Debian 8.0?

6 5 3
7,540 points

Please log in or register to answer this question.

2 Answers

0 votes

Solution :

The OpenSSH website has the page dedicated to the legacy issues such as the above one. It suggests the below approach, on ta client:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123

Or more permanently you can add

​Host 123.123.123.123

KexAlgorithms +diffie-hellman-group1-sha1



​

to the ~/.ssh/config.

This will help you in enabling your old algorithms on a client, by allowing it to simply connect to a server.

OR

 My problem was similar to your problem I had many (legacy) clients connecting to the recently upgraded server (i.e. ubuntu 14 -> ubuntu 16).

My change from openssh6 -> openssh7 completely disabled by default a diffie-hellman-group1-sha1 key exchange method.

After doing lot of research I came up with my changes which I needed to do to a /etc/ssh/sshd_config file as below :

​#Legacy changes

KexAlgorithms +diffie-hellman-group1-sha1

Ciphers +aes128-cbc

And the more wide legacy set of changes as below:

​#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

 

​

It resolved my issue.

9 7 4
38,600 points
0 votes

Solution:

In this instance, the client and server were unable to agree on the key exchange algorithm. The server offered just a single way diffie-hellman-group1-sha1. OpenSSH supports this system, however does not enable it by default cause is weak and within theoretical range of the nominal Logjam attack.

The best solution for these failures is to upgrade the software at the other end. OpenSSH just disables algorithms that we actively recommend against using cause they are known to be weak. In some instances, this may not be instantly possible so you may require to temporarily re-enable the weak algorithms to keep access.

For the instance of the above error message, OpenSSH can be configured to enable the diffie-hellman-group1-sha1 key exchange algorithm (or any other that is disabled by default) employing the KexAlgorithms option - else on the command-line:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

or in the ~/.ssh/config file:

Host somehost.example.org
	KexAlgorithms +diffie-hellman-group1-sha1

The '+' before the list notify ssh to connect the algorithm to the client's default set rather than replacing the default. By connecting, you will automatically upgrade to the best supported algorithm at the time the server starts supporting it.

Other instance, this time where the client and server fail to agree on a public key algorithm for host authentication:

Unable to negotiate with legacyhost: no matching host key type found. Their offer: ssh-dss

OpenSSH 7.0 and greater likewise disable the ssh-dss (DSA) public key algorithm. It dizzy weak and we recommend against its use. It can be re-enabled employing the HostKeyAlgorithms configuration option:

ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost

or in the ~/.ssh/config file:

Host somehost.example.org
	HostKeyAlgorithms +ssh-dss

Relying on the server configuration, it's possible for other link parameters to fail to deal. You may found the Ciphers and/or MACs configuration options necessary for enabling these. It's also practical to query which algorithms ssh supports:

ssh -Q cipher       # List supported ciphers
ssh -Q mac          # List supported MACs
ssh -Q key          # List supported public key types
ssh -Q kex          # List supported key exchange algorithms

Ultimately, it's also practical to query the configuration that ssh is rally employing when trying to connect to a specific host, by employing the -G option:

ssh -G user@somehost.example.com

which will list all the configuration options, along the chosen values for the CiphersMACsHostKeyAlgorithms and KexAlgorithms parameters.

The OpenSSH website has a page devoted to succession issues such as this one. It indicates the following approach, on the client:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123

or Major permanently, including

Host 123.123.123.123
    KexAlgorithms +diffie-hellman-group1-sha1

to ~/.ssh/config.

This will enable the used algorithms on the client, approving it to link to the server.

10 6 4
31,120 points

Related questions

0 votes
1 answer 57 views
57 views
Problem : I guess Chrome have released an update over the past week. And this update has caused at least 100 of our internal applications to throw the exception shown below. The solutions I have found over the Internet, talk about updating the ... there anyone who is aware of a similar fix in Chrome? Error Server has a weak ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
asked Nov 25, 2019 alecxe 7.5k points
0 votes
1 answer 1.4K views
1.4K views
Problem : I am having the issue getting ssh X forwarding to work. A setup is I am sshing into the ubuntu VM off OSX a Yosemite host machine. I have already installed a xQuartz on OSX, xauth on ubuntu, and I believe I have all the relevant options set in ... on my other machine except running a Mavericks and it works fine, is there anything specific to the Yosemite specific I have to know about?
asked Jan 22, 2020 jwilliam 3.9k points
0 votes
1 answer 340 views
340 views
Problem : I am facing a strange MySQL error may be it is related to the database's read-only flag. The Web application that is using the MySQL is running on Debian 7.9. It was running well but suddenly started attempting to access the application powered website ... - SQLSTATE[HY000]: General error: 1290 The MySQL server is running with the --read-only option so it cannot execute this statement
asked Nov 20, 2019 peterlaw 6.9k points
1 vote
1 answer 98 views
98 views
Problem: I am trying to learn Oracle. I have created two tables their names are Table Employee and Table USER, here is the structure. CREATE TABLE Employee ( ID NUMBER NOT NULL , USERID NUMBER, CONSTRAINT B_PK PRIMARY KEY ( ID ) ENABLE ); CREATE TABLE USER ( ... above error but because of my elementary knowledge on Oracle I am unable to fix it. Kindly guide me in fixing above Oracle error.
asked May 29, 2020 Martin K 6.6k points
1 vote
1 answer 656 views
656 views
Problem : I am very new to WinSCP. If I want to SSH into my cluster then I need to go through two stages. I need to enter my password two times to reach my home directory using the SSH in my Linux terminal or the PuTTY. But if I want to use the ... recently I have started facing below error: Trying SFTP: Cannot initialize SFTP protocol. Is the host running a SFTP server? How to fix above problem?
asked Apr 6, 2020 morrisBson 3.2k points
0 votes
1 answer 136 views
136 views
Problem : I am very new to Shell scripting. Currently I am trying to write the Shell Script which should create some dirs on my remote server and then it should use the scp to copy the files from the local pc on the remote server. But whenever I try to ... Pseudo-terminal will not be allocated because stdin is not a terminal.” And my script hangs after the message. How to fix above message?
asked Feb 24, 2020 mphil 2.3k points
0 votes
1 answer 854 views
854 views
Problem : I am working on the project remotely through the command line on the machine to which I don't have the admin rights and after running git push origin master I get the below error message: (gnome-ssh-askpass:29241): Gtk-WARNING **: cannot open ... to host github.com port 22: Connection timed out fatal: The remote end hung up unexpectedly Does anyone have any solution for my issues?
asked Dec 11, 2019 alecxe 7.5k points
0 votes
1 answer 2.3K views
2.3K views
Problem : I am trying to run startx via PuTTY and Xming but it gives following error: putty x11 proxy: unable to connect to forwarded x server: network error: connection refused
asked Nov 18, 2019 peterlaw 6.9k points