No matching key exchange method found their offer diffie hellman group1 sha1 mac os

ssh не может договориться — не найден подходящий метод обмена ключами

Я пытаюсь войти в свой маршрутизатор DSL, потому что у меня проблемы с почтой из командной строки. Я надеюсь, что смогу перенастроить роутер.

Когда я даю ssh команду, вот что происходит:

тогда я посмотрел на этот пост stackexchange и изменил свою команду на эту, но у меня возникла другая проблема, на этот раз с шифрами.

так есть ли команда предложить 3des-cbc шифрование? Я не уверен насчет 3des, например, хочу ли я добавить его навсегда в мою систему.

Есть ли команда разрешить 3des-cbc шифрование?

В чем здесь проблема? Это не спрашивать пароль.

Эта конкретная ошибка происходит во время настройки зашифрованного канала. Если ваша система и удаленная система не используют хотя бы один шифр, шифр для согласования отсутствует и зашифрованный канал невозможен. Обычно SSH-серверы предлагают небольшое количество разных шифров для обслуживания разных клиентов; Я не уверен, почему ваш сервер будет настроен на разрешение только 3DES-CBC.

Теперь 3DES-CBC не страшно. Он медленный и обеспечивает меньшую безопасность, чем некоторые другие алгоритмы, но его нельзя сломать сразу, если ключи выбраны правильно. У самой CBC есть некоторые проблемы, когда зашифрованный текст может быть изменен при передаче, но я сильно подозреваю, что возникшее повреждение будет отклонено HMAC SSH, что уменьшит влияние. В итоге, есть худшие варианты, чем 3DES-CBC, и есть лучшие. Однако всегда соблюдайте осторожность при переопределении связанных с безопасностью значений по умолчанию, включая выбор алгоритмов шифрования и обмена ключами.Эти значения по умолчанию являются причинами по причине; некоторые довольно умные люди потратили немного сил на обдумывание вариантов и определили, что то, что было выбрано в качестве значений по умолчанию, обеспечивает лучший общий компромисс безопасности и производительности.

Как вы узнали, вы можете использовать -c . (или -oCiphers=. ), чтобы указать, какой шифр предлагать на стороне клиента. В этом случае добавление -c 3des-cbc разрешает только 3DES-CBC от клиента. Поскольку это соответствует шифру, который предлагает сервер, может быть установлен зашифрованный канал, и соединение переходит к фазе аутентификации.

Вы также можете добавить это в свой личный

/.ssh/config . Чтобы избежать глобальных изменений для решения локальной проблемы, вы можете поместить их в Host раздел. Например, если ваша конфигурация SSH в настоящее время говорит (фиктивный пример):

указав глобальный порт по умолчанию 9922 вместо 22 по умолчанию, вы можете добавить раздел хоста для хоста, который требует специальной конфигурации, и раздел глобального хоста для случая по умолчанию. Это стало бы что-то вроде .

Отступы необязательны, но я считаю, что они значительно улучшают читаемость. Пустые строки и строки, начинающиеся с # , игнорируются.

Если вы всегда (или в основном) входите в систему как один и тот же пользователь в этой системе, вы также можете указать это имя пользователя:

Вам не нужно добавлять Host * раздел, если в вашем

/ .ssh / config ничего не было для начала, так как в этом случае будут использоваться только скомпилированные или общесистемные значения (обычно из / etc / ssh / ssh_config) используемый.

На этом этапе командная строка ssh для подключения к этому хосту сводится к

и все другие пользователи в вашей системе, а также соединения со всеми остальными хостами из вашей системы, не будут затронуты изменениями.

Источник

Mac OS High Sierra no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Mac OS High Sierra
no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

If you’ve tried to SSH to something after upgrading to Mac OS High Sierra and gotten the message.

Follow these steps to fix.

• Open terminal
• Enter, “sudo vi /etc/ssh/ssh_config”

• Search for “MACs hmac-md5,hmac-sha1,umac-64” by pressing the “/” key and pasting “MACs hmac-md5,hmac-sha1,umac-64”
  • No quotes
  • Hit enter

• Hit the “i” key to enter insert mode and remove the “#” to uncomment the line.
• Press the “esc” key to exit insert mode

• Now search for “Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc” by pressing the “/” key and pasting “Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc”
• Press enter

• Hit the “i” key to enter insert mode and remove the “#” to uncomment the line.
• Press the “esc” key to exit insert mode

• • Go to the bottom of the file and paste in:

HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1

• Finally, Save and exit by typing “:wq”
  • No quotes
• Press enter

Источник

macOS – SSH Error ‘No Matching Exchange Method Found’

KB ID 0001245В

Problem

Note Certified working all the way up to macOS Big Sur version 11.2.3

I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Catalina 10.15 the other day. After this, all my SSH sessions refused to connect with this error;

Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1

Note: You may also see the following error;

Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Update: 10/04/20: With newer equipment you may see the following error;

Unable to negotiate with x.x.x.x port 22: no matching MAC found Their offer: hmac-sha2-256

Mac SSH Error – Fix

This is not Apple’s fault, it’s OpenSSH version 7. SHA1 is weak, so support for it has been removed. Which is fine, but all my clients Cisco Firewalls/Routers/Switches are probably all using В RSA/SHA1. So until they re all updated I’m going to need to re-enable SHA1.

Open a terminal windows and execute the following;

Locate the line ‘В # В MACs hmac-md5,hmac-sha1, hmac-sha2-256 ,umac-64@openssh.com,hmac-ripemd160′В and remove the Hash/Pound sight from the beginning, and add the extra hashing algorithm that I’ve shown above in red.В

Locate the line ‘В # В Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc’В and remove the Hash/Pound sight from the beginning.

Then paste the following on the end;

Mac SSH Error – Quitting Nano

To quit nano, use the Ctrl-X key combination. because you are working on has been modified since the last time you saved it, you will be prompted to save the file first. Type y to save the file.

Theres no reason to reboot, it should work straight away.

But Wait – Theres More!

This is going to happen every time you upgrade your mac, I’ve started taking a backup of the ssh_config file, then I can just restore it back again, like so;

Backup macOS SSH Settings & Ciphers

Restore macOS SSH Settings & Ciphers

Related Articles, References, Credits, or External Links

Author: PeteLong

101 Comments

I tried your work around, but it only gives me a different error. Is it possible that something more needs to be changed? Thanks

What Error did you get?

Fixed the issue immediately. Thanks

2018 and this advice is still good. Fixed my problem too. Thanks!

nice it works and solve the issues…

Worked for me, 2019

2020 still working !! I fixed my problem too.

End of 2020, and this still works to get me on legacy systems.

Is it possible you forgot a comma , after typing in hmac-sha2-256? Because that’s what I did at first try 😛

Thanks a lot for this. Helped me straight away.

No Probs – Glad to help рџ™‚ P

Still perfect.
Thanks For all.

Thanks for this.Work just as described!

Worked like a charm – Thanks!

It Works! Thanks

It didn’t like me allowing that line. It kept throwing up a new error, though to be fair, my line was longer and looked different.

However, putting the pound sign back and just adding that bit to the bottom worked straight away.

Thanks for the help.

Using all 3 changes will invalidate all host-keys in ‘known_hosts’.
Only the last line was actually needed for me: KexAlgorithms diffie-hellman-group1-sha1

With the caveat that this will force all ssh negotiations down to this less secure protocol.

A better option is to leave /etc/ssh/ssh_config alone alltogether, and create

/.ssh/config in your home-dir (alongside the known_hosts file)
In

/.ssh/config create an entry as follows for the equipment that use this key-exchange. Use as identification the name or ip you actually use on your commandline. (i.e. use ‘192.168.0.1’ or ‘firewall’ if you use ‘ssh 192.168.0.1’ or ‘ssh firewall’)

#force key exchange:
host 192.168.0.1 firewall.local firewall
KexAlgorithms diffie-hellman-group1-sha1

That worked also. Thanks!

This is great. I updated my Mac to 10.13.6 on 12/26/2018 and both my SSH and Sublime Text SFTP stopped working. (But my Cyberduck SFTP and Microsoft Remote Desktop continued to work.)

Using the steps in the initial post didn’t work for me. It resulted in an alert that I would be open to a “Man in the Middle” attack and it didn’t allow me to continue.

However, this comment helped me fix this issue. Now my SSH and Sublime Text SFTP work by creating a

/.ssh/config file in my local user folder and adding the lines at the end of the file. (Note: 999.999.9.9 is the IP address of the remote server you want to log into.)

# force key exchange:
host 999.999.9.9 firewall.local firewall
KexAlgorithms diffie-hellman-group1-sha1

Thanks a lot, this worked a treat for me. : )

Источник

Fixed: No Matching Key Exchange Method Found

When you’re trying to use ssh to get in touch with a remote server, you might receive an error that reads no matching key exchange method found before giving you a suggestion as to which encryption algorithm you’ll want to be using. You won’t be able to connect to the remote server whenever you experience the error. This process can be really frustrating, but the error is so common that you’ll often find Unix types talking about how they’re experiencing it and giving the same advice to get out of the woods.

The following methods to fix the error have been tested on everything that ssh works on, but you’ll most likely find this problem on Unix and Linux systems. You should be able to use the same process to correct it if you’re running ssh on Windows or something exotic, but you might find that the switch options are slightly different.

Method 1: Recontacting the Server and Regenerating Keys

Before you do anything else, make sure that you can reproduce the error. Sometimes this error message is just because there is some remote-side service that isn’t currently running, which might have been corrected in the meantime. While we were running ssh in a virtual machine that allowed the connection to a bogus server address that was set to the documentation-approved example.org, but you’ll want to substitute a real networking address instead.

If you still receive it, then try regenerating keys with ssh-keygen -A from the command prompt. This will refresh the cache that the ssh application uses to connect to the remote server. Barring that, you might want to try restarting ssh by running service ssh restart and giving it a few moments.

Should you still be having issues, then it means that the server and client weren’t ever able to come to terms with the right protocol to use. OpenSSH implements a dizzying array of different protocols, but it disables a number of these because they’re now known to be compromised and therefore unsafe. You’ll want to update all the ssh packages at the server end of the equation, so make sure the system administrator is aware of what’s going on. If it’s your own server, then take a moment to update them.

If this isn’t an option and you recognize the dangers of using a compromised algorithm, then there’s a client-side way to bypass this error message.

Method 2: Enabling Legacy Options in OpenSSH

Take a look at what the error message reads after the words Their offer: to see what algorithm the remote server prefers. While most systems should be using openssh7, which has already disabled the older obsolete diffie-hellman-group1-sha1 technology, you’ll be told to use sha1 if they’re still stuck on openssh6 or something similar.

Run ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 testhost@example.org with whatever the actual networking host or IP address of the remote server is to fix this issue on the client-side. If this fixes the issue, then it was looking for an older sha1-based protocol to connect. This older sha1-based solution was disabled for a good reason, but you can more permanently bypassing it by using the nano or vim editors to open up the

/.ssh/config file and add the lines:

Keep in mind that you’ll want to make sure that the plus sign is there since it means that ssh will append rather than replace the more secure defaults. When the server updates the packages, you’ll be using the safer protocols in most cases.

If you received an error before that mentioned the ssh-dss protocol instead of the sha1 version, then you can instead try this command followed by the name of your host: ssh -oHostKeyAlgorithms=+ssh-dss, which if it works you’ll need to edit the

/.ssh/config file again. After the Host line, add a tab and the following:

HostKeyAlgorithms +ssh-dss

Remember that just like the sha1 system, the ssh-dss key has been deprecated for extremely rational security problems associated with it. Using this could introduce vulnerabilities into your connection, so it should be looked at only as a temporary fix if even that. Make sure to get the server updated as soon as possible.

Источник