Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
78749
Views
7
Helpful
6
Replies

no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

KjeldFlarup
Level 1
Level 1

‎05-28-2021 06:19 AM

When I try to connect to my switch I get this error

$ ssh cisco@192.168.7.203
Unable to negotiate with 192.168.7.203 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1


And I just did a factory default on this box

System Description:	SG300-52 52-Port Gigabit Managed Switch	
Firmware Version (Active Image):	1.4.11.5
Boot Version:	1.3.5.06

Configured it like this

configure
interface vlan 1 
 ip address 192.168.7.203 255.255.255.0 
 no ip address dhcp 
ip default-gateway 192.168.7.1  
end

config
ip ssh server
ip ssh-client server authentication
ip ssh-client source-interface  vlan 1
end
copy running-config startup-config
reload

What am I missing?

 

This works, but I would like to configure the switch properly

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-ctr  cisco@192.168.7.203
1 person had this problem
Labels:
6 Replies 6

marce1000
VIP
VIP

‎05-28-2021 09:49 AM

 

 - Not much you can do , available ciphers may be limited depending on model , but also firmware version (use the latest and or try again). Can be verified with : 

nmap --script ssh2-enum-algos your-switch

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

KjeldFlarup
Level 1
Level 1
In response to marce1000

‎05-31-2021 12:29 AM

**bleep**, even the largest switch supplier in the world cannot offer a secure switch.

22/tcp  open  ssh
| ssh2-enum-algos: 
|   kex_algorithms: (2)
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (2)
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (3)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (1)
|       hmac-sha1
|   compression_algorithms: (1)
|_      none

Neither diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1 is considered secure. https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-09.html

 

And 1.4.11.5 is the latest available firmware.

0 Helpful

marce1000
VIP
VIP
In response to KjeldFlarup

‎05-31-2021 01:46 AM

 

 - Small business devices may have security limits (too) ,indeed.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Sadettin Sahiner
Level 1
Level 1

‎01-11-2022 09:55 PM

Hi,

 

Maybe you can try to add your linux ssh_config file in directory/etc/ssh "KexAlgorithms +diffie-hellman-group1-sha1". In fact, the underline keyword can be change depending your device answers. In my case it was +diffie-hellman-group14-sha1.

0 Helpful

jkinnaird1
Level 1
Level 1

‎10-04-2022 02:17 AM

I had this problem as well - I found a good solution here !

https://www.petenetlive.com/kb/article/0001245 

rodrigosilvaluz5
Level 1
Level 1
In response to jkinnaird1

‎02-17-2024 08:43 AM

Very good!

0 Helpful
Customers Also Viewed These Support Documents