After upgrading the OpenSSH client from 6.8p1 to 9.7p1 on a Linux workstation, an administrator attempts to log in to an aging network switch and sees:
$ ssh -vv [email protected]
...
Unable to negotiate with 192.0.2.10 port 22: no matching key exchange method found.
Their offer: diffie-hellman-group1-sha1
The switch firmware cannot be updated at this time, and the administrator must connect only from this workstation. Which client-side change will restore connectivity without modifying the switch or the system-wide SSH server configuration on the Linux host?
Add the line KexAlgorithms +diffie-hellman-group1-sha1 to the host entry in ~/.ssh/config and reconnect.
Connect with the option -o StrictHostKeyChecking=no to bypass the host-key prompt.
Append Ciphers [email protected] to /etc/ssh/sshd_config and restart the sshd service.
Use scp instead of ssh to transfer the switch configuration file.
The failure message shows that the only key-exchange algorithm the switch offers is diffie-hellman-group1-sha1, which recent OpenSSH releases disable by default. Adding the algorithm back to the client's allowed list with the KexAlgorithms +diffie-hellman-group1-sha1 directive (or the equivalent -oKexAlgorithms=+diffie-hellman-group1-sha1 command-line flag) lets the client and server agree on a common key-exchange method. Changing the Ciphers list affects encryption algorithms, not key-exchange negotiation, so it would not solve the problem. Disabling host-key checking only suppresses authenticity prompts and does not influence algorithm negotiation. Using scp relies on the same SSH transport and would fail for the same reason. Therefore, enabling the legacy key-exchange algorithm for this host in ~/.ssh/config is the correct fix.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the KexAlgorithms directive in SSH?
Open an interactive chat with Bash
Why is diffie-hellman-group1-sha1 considered insecure?
Open an interactive chat with Bash
What is the difference between Ciphers and KexAlgorithms in SSH?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Troubleshooting
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access