How to Fix SSH Error: No matching key exchange method found. Their offer: diffie-hellman-group1-sha1

DigitalOcean Referral Badge
Start your VPS now with FREE $100 credit.

OpenSSH is a widely used SSH (secure shell) server and client used in the Unix world, including in Linux, Mac OS X, and BSD operating systems. OpenSSH allows for secure logins to a remote system.

While the current version of OpenSSH is 8.6, there are a lot of older clients and servers still running for compatibility reasons. However, the mismatched client and server version will sometimes create errors as older cipher methods used for authentication are deprecated.

For example, a newer client might not be able to SSH to a server that asks for a specific key exchange method and will throw an error, as depicted here:

ssh 123.123.123.123
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Fortunately, fixing the error is not that hard to do. Enabling older key exchange method can be done by adding a specific line to the OpenSSH configuration file. Begin by issuing the following command:

nano /etc/ssh/ssh_config

You can replace nano with vim or other text editors you like to use. In the file, add the following lines:

KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

Save the configuration file, close the text editor, and regenerate your SSH keys by issuing the following command:

ssh-keygen -A

Wait until the key regeneration process is finished (it should not take more than a few seconds), and finally, restart the ssh daemon by using the following command:

service ssh restart

If you still cannot connect to the server, you can try alternative SSH clients such as PuTTY. Install PuTTY by issuing this command on a Debian-based distro (such as Ubuntu and Mint):

sudo apt install putty

Then, open PuTTY and configure the connection as usual. PuTTY will attempt to connect with the available key exchange method.

2 thoughts on “How to Fix SSH Error: No matching key exchange method found. Their offer: diffie-hellman-group1-sha1”

  1. I used your “KexAlgorithms” and “Ciphers” to create /etc/ssh/ssh_config.d/kex.conf: There is a typo (a ‘soft’ return) before “Ciphers” in your text and the “blowfish-cbc” isn’t supported under Ubuntu 20.04 LTS. However, after fixing these I can now connect to my Supermicro IPMI.
    Thanks for explaining the problem!

    Reply
  2. I see the message in my logs on my backup router.

    The primary router blocks all incoming ssh connections to itself. When I’m going somewhere, I’ll enable connections to it from the Internet provided those connections are in the US and have not been blocked.

    I never saw the messages when I had logins enabled using passwords. Now, I only allow connections with ssh keys and I get those a lot. What I don’t see is anyone trying to guess passwords any more. So I’m guessing that those are more likely from trying to use passwords when password logins are prohibited.

    For my own use, I only use the ed25519 keys for ssh. I’m thinking of restricting the PexAlgorithms to a bare minimum.

    Reply

Leave a Comment