Categories
Linux Networking Systems Administration

Workaround for SSH error to Cisco switch from Ubuntu 20.04 or Redhat 8 – no matching key exchange method found

Trying to SSH to a Cisco switch from Ubuntu 20.04 you may get this error. I’ve noticed the same thing from Redhat RHEL 8:

~> ssh cisco@10.1.1.5
Unable to negotiate with 10.1.1.5 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

This error is because Ubuntu 20.04 has disabled the SHA1-based key exchange methods after some attacks have been found on SHA1.

To work around this issue for Cisco switches you can use the command line argument -oKexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 like this:

~> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 cisco@10.1.1.5
Password:
~>

To save this for the specific IP permanently, add to your ssh_config file:

~> cat ~/.ssh/config
Host 10.1.1.5
KexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

This will set that option permenantly for the specific host.

3 replies on “Workaround for SSH error to Cisco switch from Ubuntu 20.04 or Redhat 8 – no matching key exchange method found”

I’m not exactly sure, Harry, but you could try putting the extra values into your $HOME/.ssh/config file, like this:
“`
~/.ssh> cat ~/.ssh/config
#Host shortcutname
# HostName ip address or FQDN
# Port port number if moved from default
# User username
# IdentityFile ~/.ssh/(id_rsa,edxxxxx.pub or *.pem)
Host 10.1.1.5
KexAlgorithms=+diffie-hellman-group1-sha1

Host ciscoswitcharoo
KexAlgorithms=+diffie-hellman-group1-sha1
“`

Don’t forget to `chmod 0600 $HOME/.ssh/config` once you’ve created it or it won’t be read.

Leave a Reply to Harry Cancel reply

Your email address will not be published. Required fields are marked *