Lubuntu 18.04 can't SSH to Cisco Router: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

ssh networking lubuntu cisco

I'm not sure if this problem caused by Lubuntu or Cisco Router side.

Lubuntu = 192.168.1.100
Cisco Router = 192.168.1.1

SSH from Lubuntu to Cisco Router

user@linux:~$ ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
user@linux:~$

user@linux:~$ ssh [email protected]
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@linux:~$

This is on Cisco Router side

R1#
*Mar  1 01:41:19.631: SSH2 0: no matching cipher found: client [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],
R1#

SSH Verbose

user@linux:~$ ssh 192.168.1.1 -l admin -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to 192.168.1.1:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: (no match)
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@linux:~$

More Cisco Log

R1(config)#ip ssh logging events
R1(config)#
R1(config)#
*Mar  1 01:56:21.723: SSH2 0: no matching cipher found: client [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],
R1(config)#
*Mar  1 01:56:21.723: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.1.100 (tty = 0) using crypto cipher '', hmac '' Failed
*Mar  1 01:56:21.723: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.1.100 (tty = 0) for user '' using crypto cipher '', hmac '' closed
R1(config)#

What is the problem here and how to fix it?

Update 1

I've tried these as suggested here but it didn't solve the problem

user@linux:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
user@linux:~$ 

user@linux:~$ ssh -oHostKeyAlgorithms=+ssh-dss 192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
user@linux:~$

The problem is the Cisco router. Ubuntu's ssh client proposes a default set of modern and secure encryptions and the router proposes another set (with legacy algorithms) and they have none in common.

You can force ssh to add the weak legacy algorithms to its list of proposals:

From the command line:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.1

or adding the option to ~/.ssh/config

Host 192.168.1.1
  KexAlgorithms +diffie-hellman-group1-sha1

As explained here (you have other solutions there), that might be not be enough and you might have to enable ssh-dss too.

ssh -oHostKeyAlgorithms=+ssh-dss 192.168.1.1

or adding the option to ~/.ssh/config

Host 192.168.1.1
  HostKeyAlgorithms +ssh-dss

try this one, you did not specify the cypher to use

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc -l username 192.168.1.1

Related

I can't install the Software Center [duplicate]
Unable to Remove Virtualbox-6.1
Wayland on Nvidia as we near Q4 2021
How to free system of useless processes in a safe way?
What events happen reliably each season in Dwarf Fortress?
What are the choices you can make to stay alive in One Chance?
What happens when I choose to ally with The God King in Infinity Blade?
From Archaemennid to Safavid: What Golden Ages count towards the achievement?
Is there a way to play Call of Duty: Black Ops on LAN without an internet connection?
Making Wii Sports Tennis burn more energy
Capturing Borgia flags. What about Romulus Lairs?
Techniques and tips for tuning cars in GT5