Saturday, August 18, 2018

Unable to ssh on macOS High Sierra, Catalina and Linux

  • Symptoms

After upgrading to the Apple macOS High Sierra version, the following error appears and you cannot connect to the network switch or firewall.

Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-dss

Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

  • Resolution 1

It is a system-wide solution.

Open the ssh_config file in the /etc/ssh directory using a text editor such as Vi.

sudo vi /etc/ssh/ssh_config

Find the line as shown below and remove the # (Hash/Pound) at the beginning.

# MACs hmac-md5,hmac-sha1,,hmac-ripemd160
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

And add the following line at the bottom.

HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1

Overall it will be something like this:

# Port 22
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,

# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p
# RekeyLimit 1G 1h

Host *
SendEnv LANG LC_*
HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1

Save and exit, and it will take effect immediately. No reboot required.

  • Resolution 2

It is a solution that can be set for each specific user, host, or subnet.

Open the config file in the .ssh directory using a text editor such as Vi.

Vi ~/.ssh/config
~/.ssh/config or $HOME/.ssh/config

ServerAliveInterval 300
ServerAliveCountMax 3
RemoteForward 52698

# Allow the below algorithm to all hosts on the network
Host 192.168.1.*

# Only 2 hosts below are allowed encryption
Ciphers aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

# Only 1 subnet and 1 host below encryption, allow algorithm
Ciphers 3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1

* Reference: SSH Config File - Commonly used configuration options

No comments: