cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
41922
Views
5
Helpful
5
Replies

no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

KjeldFlarup
Beginner
Beginner

When I try to connect to my switch I get this error

$ ssh cisco@192.168.7.203
Unable to negotiate with 192.168.7.203 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1


And I just did a factory default on this box

System Description:	SG300-52 52-Port Gigabit Managed Switch	
Firmware Version (Active Image):	1.4.11.5
Boot Version:	1.3.5.06

Configured it like this

configure
interface vlan 1 
 ip address 192.168.7.203 255.255.255.0 
 no ip address dhcp 
ip default-gateway 192.168.7.1  
end

config
ip ssh server
ip ssh-client server authentication
ip ssh-client source-interface  vlan 1
end
copy running-config startup-config
reload

What am I missing?

 

This works, but I would like to configure the switch properly

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-ctr  cisco@192.168.7.203
5 Replies 5

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

 - Not much you can do , available ciphers may be limited depending on model , but also firmware version (use the latest and or try again). Can be verified with : 

nmap --script ssh2-enum-algos your-switch

 M.

**bleep**, even the largest switch supplier in the world cannot offer a secure switch.

22/tcp  open  ssh
| ssh2-enum-algos: 
|   kex_algorithms: (2)
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (2)
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (3)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (1)
|       hmac-sha1
|   compression_algorithms: (1)
|_      none

Neither diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1 is considered secure. https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-09.html

 

And 1.4.11.5 is the latest available firmware.

 

 - Small business devices may have security limits (too) ,indeed.

 M.

Sadettin Sahiner
Beginner
Beginner

Hi,

 

Maybe you can try to add your linux ssh_config file in directory/etc/ssh "KexAlgorithms +diffie-hellman-group1-sha1". In fact, the underline keyword can be change depending your device answers. In my case it was +diffie-hellman-group14-sha1.

jkinnaird1
Beginner
Beginner

I had this problem as well - I found a good solution here !

https://www.petenetlive.com/kb/article/0001245 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers