[GH-ISSUE #96] No matching key exchange method found #24

New issue

Closed

opened 2026-05-07 00:17:34 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:17:34 +02:00

Owner

Originally created by @dwydler on GitHub (Dec 15, 2020).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/96

Hi guys,
today i have no bug report. It is more technical question. We want to manage access to CISCO switches with Bastion.

First i tried to connect from the bash with the command ssh:
ssh netadmin@192.168.1.1

But i got follow error message:
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

With a look into the file /etc/sshd/sshd_config showed me, that with the installation of the bastion, some changes have been done.

I do some changes in the configuration file to find a solution for the error - without success.

Occurs the problem by hardening the ssh daemon or it's a default setting from the ssh daemon on Ubuntu 20.04 LTS?

Regards,
Daniel

Originally created by @dwydler on GitHub (Dec 15, 2020). Original GitHub issue: https://github.com/ovh/the-bastion/issues/96 Hi guys, today i have no bug report. It is more technical question. We want to manage access to CISCO switches with Bastion. First i tried to connect from the bash with the command ssh: ```ssh netadmin@192.168.1.1``` But i got follow error message: ```Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1``` With a look into the file /etc/sshd/sshd_config showed me, that with the installation of the bastion, some changes have been done. I do some changes in the configuration file to find a solution for the error - without success. Occurs the problem by hardening the ssh daemon or it's a default setting from the ssh daemon on Ubuntu 20.04 LTS? Regards, Daniel

BreizhHardware closed this issue

2026-05-07 00:17:34 +02:00

BreizhHardware commented

2026-05-07 00:17:36 +02:00

Author

Owner

@speed47 commented on GitHub (Dec 16, 2020):

Hello @dwydler,

We do manage access to such switches using The Bastion too, and indeed, depending on the models and firmware revision of the switches/routers, sometimes the available ciphers or key exchange methods are "old", and by default they're disabled on the egress side of the bastion, that is, in the /etc/ssh/ssh_config file, because they're less secure.

You can directly add such mechanisms to the KexAlgorithms option of the /etc/ssh/ssh_config file on the bastion. In your case, this would be something like this:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Of course this is just an example, it depends which cryptographic suites you want, depending on your cryptography policy (the complete list is in man ssh_config).

You might have to lower the ciphers and the MACs also, depending on the network device.

@speed47 commented on GitHub (Dec 16, 2020): Hello @dwydler, We do manage access to such switches using The Bastion too, and indeed, depending on the models and firmware revision of the switches/routers, sometimes the available ciphers or key exchange methods are "old", and by default they're disabled on the egress side of the bastion, that is, in the ``/etc/ssh/ssh_config`` file, because they're less secure. You can directly add such mechanisms to the `KexAlgorithms` option of the ``/etc/ssh/ssh_config`` file on the bastion. In your case, this would be something like this: ``KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1`` Of course this is just an example, it depends which cryptographic suites you want, depending on your cryptography policy (the complete list is in `man ssh_config`). You might have to lower the ciphers and the MACs also, depending on the network device.

BreizhHardware commented

2026-05-07 00:17:36 +02:00

Author

Owner

@dwydler commented on GitHub (Dec 17, 2020):

Hi @speed47,
Argh! I edited the wrong file. :-( Thanks for the food for thought.
I have done the same changes on /etc/ssh/ssh_config. After that we could connect to the switches successfully.

Here the additions:
KexAlgorithms: +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Chipers: +aes128-cbc

Regards,
Daniel

@dwydler commented on GitHub (Dec 17, 2020): Hi @speed47, Argh! I edited the wrong file. :-( Thanks for the food for thought. I have done the same changes on ```/etc/ssh/ssh_config```. After that we could connect to the switches successfully. Here the additions: KexAlgorithms: +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Chipers: +aes128-cbc Regards, Daniel

BreizhHardware referenced this issue

2026-05-07 00:19:42 +02:00

[PR #35] [MERGED] enh: provide a separated Dockerfile for the sandbox, squashing the la… #184