- Symptoms
After upgrading to the Apple macOS High Sierra version, the following error appears and you cannot connect to the network switch or firewall.
Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-dss
Unable to negotiate with 192.168.1.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Unable to negotiate with 192.168.1.10 port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha
-> Add ssh-ed25519 to the HostkeyAlgorithms
sudo vi /etc/ssh/ssh_config
-> Add ssh-ed25519 to the HostkeyAlgorithms
- Resolution 1
It is a system-wide solution.
Open the ssh_config file in the /etc/ssh directory using a text editor such as Vi.
sudo vi /etc/ssh/ssh_config
Find the line as shown below and remove the # (Hash/Pound) at the beginning.
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
And add the following line at the bottom.
HostkeyAlgorithms +ssh-dss,ssh-rsa,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
KexAlgorithms +diffie-hellman-group1-sha1
Overall it will be something like this:
# Port 22
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-sha2-512,hmac-sha2-256,hmac-md5,hmac-sha1,[email protected],[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
Host *
SendEnv LANG LC_*
HostkeyAlgorithms +ssh-dss,ssh-rsa,ssh-ed25519
KexAlgorithms +diffie-hellman-group1-sha1
Save and exit, and it will take effect immediately. No reboot required.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-sha2-512,hmac-sha2-256,hmac-md5,hmac-sha1,[email protected],[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
Host *
SendEnv LANG LC_*
HostkeyAlgorithms +ssh-dss,ssh-rsa,ssh-ed25519
KexAlgorithms +diffie-hellman-group1-sha1
Save and exit, and it will take effect immediately. No reboot required.
- Resolution 2
It is a solution that can be set for each specific user, host, or subnet.
Open the config file in the .ssh directory using a text editor such as Vi.
Vi ~/.ssh/config
~/.ssh/config or $HOME/.ssh/config
ServerAliveInterval 300
ServerAliveCountMax 3
Host 192.168.1.100
RemoteForward 52698 127.0.0.1:52698
# 192.168.1.0 Allow the below algorithm to all hosts on the network
Host 192.168.1.*
HostKeyAlgorithms=+ssh-dss
# Only 2 hosts below are allowed encryption
Host 192.168.2.1, 192.168.2.2
Ciphers aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
# Only 1 subnet and 1 host below encryption, allow algorithm
Host 192.168.3.0.*, 192.168.4.100
HostKeyAlgorithms=+ssh-dss
Ciphers 3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1
* Reference: SSH Config File - Commonly used configuration options
No comments:
Post a Comment