Mac : Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

By | September 23, 2016

With the latest macOS Sierra 10.12 release, you might have observed issue connecting to servers or network devices running SSH.

Please note that this article does not necessary apply or macOS, but any running OS with the latest OpenSSH v7. Because of the latest OpenSSH version, some older (legacy) encryption algorithm have been removed from the default and therefore removed by default.

Obviously the right thing to do would be that the remote device should run a more recent version of OpenSSH, unfortunately this isn’t always a possibility. Fortunately you can force the negotiation of these legacy option by passing arguments to the SSH client command.

You basically need to append the following option followed by the algorithm :

-o KexAlgorithms=+

Here is a few examples below…

Unable to negotiate with 10.20.10.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

In this case, the command would be :

ssh -p22 -o KexAlgorithms=+diffie-hellman-group1-sha1 user@10.20.10.1

There is also some cases where the remote server request a combination of multiple encryption algorithm. You will know this easily if you specify initially a specific algorithm, and then complain about another algorithm offer. In such case, you need to append once more the option such as below :

ssh -p22 -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss user@10.20.10.1

NOTE : It is also possible to query the remote server to see what configuration is used as followed :

ssh -p22 -G user@<IP_Address>