Tuesday, 28 March 2017

Fixed: Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Modern versions of OpenSSH  will typically exclude insecure cipher suites by default - however this can cause problems with older devices that are using obsolete cipher suites - in my case an older generation ASA:

ssh admin@10.11.12.13

Unable to negotiate with 10.0.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

However the long term solution (if possible) is to try and upgrade the firmware if available.

In order to access the system in the meantime we can instruct the OpenSSH client to use a weak cipher suite:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@10.11.12.13

0 comments:

Post a comment