How to solve “Unable to negotiate with port <##>: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1″ ?

In this post, lets see an interesting error message and its resolution.

The issue occurred in my case after upgrading OpenSSH.

I. Error
The file /var/adm/auth.log file on the servers was filling up with the following messages:

Unable to negotiate with port <##>: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]

There are a couple of tweaks that can be made to the sshd_config file to allow connections, also we can enable the setting temporarily while using ssh command.

However lets see one of the recommended way to enable this in sshd config.

II. Solution
The bits highlighted below were added to the /etc/ssh/sshd config file and sshd was restarted after this.

Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes128-cbc
KexAlgorithms +diffie-hellman-group1-sha1
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1

After restarting sshd, the issue should be resolved now and when you try to ssh the server, it should be able to connect.

Tags: AIXalgorithmcentoschangecipherconfigurationdiffie-hellman-group1-sha1IBMnegotiateredhatrhelsecuresolvedsshsshdunable