Lubuntu 18.04 can't SSH to Cisco Router: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
I'm not sure if this problem caused by Lubuntu or Cisco Router side.
Lubuntu = 192.168.1.100
Cisco Router = 192.168.1.1
SSH from Lubuntu to Cisco Router
user@linux:~$ ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
user@linux:~$
user@linux:~$ ssh [email protected]
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@linux:~$
This is on Cisco Router side
R1#
*Mar 1 01:41:19.631: SSH2 0: no matching cipher found: client [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],
R1#
SSH Verbose
user@linux:~$ ssh 192.168.1.1 -l admin -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to 192.168.1.1:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: (no match)
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@linux:~$
More Cisco Log
R1(config)#ip ssh logging events
R1(config)#
R1(config)#
*Mar 1 01:56:21.723: SSH2 0: no matching cipher found: client [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],
R1(config)#
*Mar 1 01:56:21.723: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.1.100 (tty = 0) using crypto cipher '', hmac '' Failed
*Mar 1 01:56:21.723: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.1.100 (tty = 0) for user '' using crypto cipher '', hmac '' closed
R1(config)#
What is the problem here and how to fix it?
Update 1
I've tried these as suggested here but it didn't solve the problem
user@linux:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
user@linux:~$
user@linux:~$ ssh -oHostKeyAlgorithms=+ssh-dss 192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
user@linux:~$
The problem is the Cisco router. Ubuntu's ssh
client proposes a default set of modern and secure encryptions and the router proposes another set (with legacy algorithms) and they have none in common.
You can force ssh
to add the weak legacy algorithms to its list of proposals:
From the command line:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.1
or adding the option to ~/.ssh/config
Host 192.168.1.1
KexAlgorithms +diffie-hellman-group1-sha1
As explained here (you have other solutions there), that might be not be enough and you might have to enable ssh-dss
too.
ssh -oHostKeyAlgorithms=+ssh-dss 192.168.1.1
or adding the option to ~/.ssh/config
Host 192.168.1.1
HostKeyAlgorithms +ssh-dss
try this one, you did not specify the cypher to use
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc -l username 192.168.1.1