SSH Key Algorithm Mismatch between MacOS & Cisco IOS
This one is pretty unfortunate because it is very unsecure and kind of surprising that the problem is on Cisco’s side.
Nevertheless, 4 lines of code will temporarily fix the problem, but it should only be used in a safe and non-production environment.
Scenario
You are currently studying for any type of Cisco certification or maybe just trying out new things in your homelab and want to connect to your new Cisco Multilayer Switch via SSH, because you are a responsible IT specialist and don’t use plaintext Telnet ;).
But there is one problem. Your terminal spits out the following error message:
Unable to negotiate with 192.168.5.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
or
Unable to negotiate with 192.168.5.2 port 22: no matching key exchange method found. Their offer: ssh-rsa
If you received that message that is most probably because your Mac is running a version of OpenSSH that does not use the SHA1 algorithm for it’s keys. Which is good security practice because that algorithm is not secure anymore.
This issue is caused from a SSH Key Algorithm mismatch between the SSH server and the client which in this case is you.
You can see details of the mismatch by looking at the messages both machines are exchanging during the connection attempt by adding the ‘-vv’ option to the SSH command.
ssh -vv USERNAME@SWITCH_IP
The terminal will debug the connection attempt and show you a list of the SSH Key Algorithms that are available on the client and server side. Usually OpenSSH will use the very first Algorithm that matches both server and client and encrypts the data with that.
But in this case there were no matches because as I have previously mentioned newer versions of OpenSSH do not support the SHA1 algorithm anymore but certain Cisco switches and routers only support that, which is unfortunate.
If you wish to have a better overview of the algorithm list on your Switch/Router you can use nmap.
nmap --script ssh2-enum-algos SWITCH_IP
Enough with the explanation, we are here to fix the problem and get you to access your switch as quick as possible. So this is how I would suggest you to fix it:
- Edit the /etc/ssh/ssh_config file
sudo nano /etc/ssh/ssh_config
You will see that all commands are commented out with the # symbol. That’s not a problem because we will just uncomment the ‘MACs’ and ‘Ciphers’ lines. Just remove the # to the left.
After that we will add two lines that will specify what Key Algorithms to use so it will match the ones used on the SSH server (Switch).
HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
This is how your /etc/ssh/ssh_config file should look like at the end:
Once completed you can save the file with ‘Ctrl + O’ and exit after with ‘Ctrl + X’
You should now be able to SSH into your Cisco switch or router without problems.