• Register
0 votes
986 views

Problem :

I am trying to ssh to the server but that is asking for the diffie-hellman-group1-sha1 key exchange method as below:

​ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1



​

How can I enable the diffie-hellman-group1-sha1 key exchange method on the Debian 8.0?

6 5 3
7,540 points

2 Answers

0 votes

Solution :

The OpenSSH website has the page dedicated to the legacy issues such as the above one. It suggests the below approach, on ta client:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123

Or more permanently you can add

​Host 123.123.123.123

KexAlgorithms +diffie-hellman-group1-sha1



​

to the ~/.ssh/config.

This will help you in enabling your old algorithms on a client, by allowing it to simply connect to a server.

OR

 My problem was similar to your problem I had many (legacy) clients connecting to the recently upgraded server (i.e. ubuntu 14 -> ubuntu 16).

My change from openssh6 -> openssh7 completely disabled by default a diffie-hellman-group1-sha1 key exchange method.

After doing lot of research I came up with my changes which I needed to do to a /etc/ssh/sshd_config file as below :

​#Legacy changes

KexAlgorithms +diffie-hellman-group1-sha1

Ciphers +aes128-cbc

And the more wide legacy set of changes as below:

​#Legacy changes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

 

​

It resolved my issue.

9 7 4
38,600 points
0 votes

Solution:

In this instance, the client and server were unable to agree on the key exchange algorithm. The server offered just a single way diffie-hellman-group1-sha1. OpenSSH supports this system, however does not enable it by default cause is weak and within theoretical range of the nominal Logjam attack.

The best solution for these failures is to upgrade the software at the other end. OpenSSH just disables algorithms that we actively recommend against using cause they are known to be weak. In some instances, this may not be instantly possible so you may require to temporarily re-enable the weak algorithms to keep access.

For the instance of the above error message, OpenSSH can be configured to enable the diffie-hellman-group1-sha1 key exchange algorithm (or any other that is disabled by default) employing the KexAlgorithms option - else on the command-line:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

or in the ~/.ssh/config file:

Host somehost.example.org
	KexAlgorithms +diffie-hellman-group1-sha1

The '+' before the list notify ssh to connect the algorithm to the client's default set rather than replacing the default. By connecting, you will automatically upgrade to the best supported algorithm at the time the server starts supporting it.

Other instance, this time where the client and server fail to agree on a public key algorithm for host authentication:

Unable to negotiate with legacyhost: no matching host key type found. Their offer: ssh-dss

OpenSSH 7.0 and greater likewise disable the ssh-dss (DSA) public key algorithm. It dizzy weak and we recommend against its use. It can be re-enabled employing the HostKeyAlgorithms configuration option:

ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost

or in the ~/.ssh/config file:

Host somehost.example.org
	HostKeyAlgorithms +ssh-dss

Relying on the server configuration, it's possible for other link parameters to fail to deal. You may found the Ciphers and/or MACs configuration options necessary for enabling these. It's also practical to query which algorithms ssh supports:

ssh -Q cipher       # List supported ciphers
ssh -Q mac          # List supported MACs
ssh -Q key          # List supported public key types
ssh -Q kex          # List supported key exchange algorithms

Ultimately, it's also practical to query the configuration that ssh is rally employing when trying to connect to a specific host, by employing the -G option:

ssh -G user@somehost.example.com

which will list all the configuration options, along the chosen values for the CiphersMACsHostKeyAlgorithms and KexAlgorithms parameters.

The OpenSSH website has a page devoted to succession issues such as this one. It indicates the following approach, on the client:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123

or Major permanently, including

Host 123.123.123.123
    KexAlgorithms +diffie-hellman-group1-sha1

to ~/.ssh/config.

This will enable the used algorithms on the client, approving it to link to the server.

10 6 4
31,120 points

Related questions

0 votes
1 answer 54 views
54 views
Problem : I guess Chrome have released an update over the past week. And this update has caused at least 100 of our internal applications to throw the exception shown below. The solutions I have found over the Internet, talk about updating the ... there anyone who is aware of a similar fix in Chrome? Error Server has a weak ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
asked Nov 25, 2019 alecxe 7.5k points
0 votes
1 answer 1K views
1K views
Problem : I am having the issue getting ssh X forwarding to work. A setup is I am sshing into the ubuntu VM off OSX a Yosemite host machine. I have already installed a xQuartz on OSX, xauth on ubuntu, and I believe I have all the relevant options set in ... on my other machine except running a Mavericks and it works fine, is there anything specific to the Yosemite specific I have to know about?
asked Jan 22 jwilliam 3.9k points
0 votes
1 answer 187 views
187 views
Problem : I am facing a strange MySQL error may be it is related to the database's read-only flag. The Web application that is using the MySQL is running on Debian 7.9. It was running well but suddenly started attempting to access the application powered website ... - SQLSTATE[HY000]: General error: 1290 The MySQL server is running with the --read-only option so it cannot execute this statement
asked Nov 20, 2019 peterlaw 6.9k points
1 vote
1 answer 50 views
50 views
Problem: I am trying to learn Oracle. I have created two tables their names are Table Employee and Table USER, here is the structure. CREATE TABLE Employee ( ID NUMBER NOT NULL , USERID NUMBER, CONSTRAINT B_PK PRIMARY KEY ( ID ) ENABLE ); CREATE TABLE USER ( ... above error but because of my elementary knowledge on Oracle I am unable to fix it. Kindly guide me in fixing above Oracle error.
asked May 29 Martin K 6.6k points