Trying to SSH to a Cisco switch from Ubuntu 20.04 you may get this error. I’ve noticed the same thing from Redhat RHEL 8:
~> ssh cisco@10.1.1.5
Unable to negotiate with 10.1.1.5 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
This error is because Ubuntu 20.04 has disabled the SHA1-based key exchange methods after some attacks have been found on SHA1.
To work around this issue for Cisco switches you can use the command line argument -oKexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
like this:
~> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 cisco@10.1.1.5
Password:
~>
To save this for the specific IP permanently, add to your ssh_config file:
~> cat ~/.ssh/config
Host 10.1.1.5
KexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
This will set that option permenantly for the specific host.
3 replies on “Workaround for SSH error to Cisco switch from Ubuntu 20.04 or Redhat 8 – no matching key exchange method found”
The web is a wonderful thing! Thanks for the solution. It worked a treat.
Manually I could do it but what if I want to do automation by ansible?
I’m not exactly sure, Harry, but you could try putting the extra values into your $HOME/.ssh/config file, like this:
“`
~/.ssh> cat ~/.ssh/config
#Host shortcutname
# HostName ip address or FQDN
# Port port number if moved from default
# User username
# IdentityFile ~/.ssh/(id_rsa,edxxxxx.pub or *.pem)
Host 10.1.1.5
KexAlgorithms=+diffie-hellman-group1-sha1
Host ciscoswitcharoo
KexAlgorithms=+diffie-hellman-group1-sha1
“`
Don’t forget to `chmod 0600 $HOME/.ssh/config` once you’ve created it or it won’t be read.