Saturday, August 18, 2018

Unable to ssh on macOS High Sierra, Catalina and Linux


  • Symptoms

After upgrading to the Apple macOS High Sierra version, the following error appears and you cannot connect to the network switch or firewall.

Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-dss

Unable to negotiate with 192.168.1.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1



  • Resolution 1

It is a system-wide solution.

Open the ssh_config file in the /etc/ssh directory using a text editor such as Vi.

sudo vi /etc/ssh/ssh_config

Find the line as shown below and remove the # (Hash/Pound) at the beginning.

# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc


And add the following line at the bottom.

HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1


Overall it will be something like this:

# Port 22
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com

# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h

Host *
SendEnv LANG LC_*
HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1


Save and exit, and it will take effect immediately. No reboot required.


  • Resolution 2

It is a solution that can be set for each specific user, host, or subnet.

Open the config file in the .ssh directory using a text editor such as Vi.


Vi ~/.ssh/config
~/.ssh/config or $HOME/.ssh/config

ServerAliveInterval 300
ServerAliveCountMax 3
Host 192.168.1.100
RemoteForward 52698 127.0.0.1:52698


# 192.168.1.0 Allow the below algorithm to all hosts on the network
Host 192.168.1.*
HostKeyAlgorithms=+ssh-dss


# Only 2 hosts below are allowed encryption
Host 192.168.2.1, 192.168.2.2
Ciphers aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc


# Only 1 subnet and 1 host below encryption, allow algorithm
Host 192.168.3.0.*, 192.168.4.100
HostKeyAlgorithms=+ssh-dss
Ciphers 3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1


* Reference: SSH Config File - Commonly used configuration options


No comments: