# HELP - can't connect to old sshd --SOLVED

## Moriah

Since last week's update, I am unable to connect via ssh to a machine that I do not administer:

```

moses ~ # ssh -Y me@xxx.yyy.zzz

Unable to negotiate with 999.999.999.999: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

moses ~ # 

```

How do I connect to this old system with the new and "improved" openssh client?

----------

## Tony0945

You have to drop down to the older ssh on your immediate machine, then log in with the old key system. Once you have logged in, update the keys to a method that the newest sshd supports, then you can update both.  Search the forum and I believe there was a news item regarding keys.

I don't use keys since they go out of date when either machine reboots. Note also that root logins are no longer allowed. That's why I have masked sshd-7.0 and above.

----------

## NeddySeagoon

Tony0945,

 *Tony0945 wrote:*   

> I don't use keys since they go out of date when either machine reboots.

 

Care to expand on that?

It doesn't seem to happen to me.

The host key changes every liveCD boot but only on live media.

----------

## Gentlenoob

Moriah,

in my case, which looks similar but not completely identical, the following lines in my .ssh/config helped:

```

HostKeyAlgorithms=+ssh-dss

PubKeyAcceptedKeyTypes=+dsa

```

Of course you'll need different parameters instead of 'ssh-dss' and 'dsa', I guess. The man pages of ssh and ssh_config may tell you more.

----------

## Tony0945

 *NeddySeagoon wrote:*   

> Tony0945,
> 
>  *Tony0945 wrote:*   I don't use keys since they go out of date when either machine reboots. 
> 
> Care to expand on that?
> ...

 

I haven't tried for a year or two, maybe three, but I would laboriously set up the keys and after rebooting I would get a message about mismatched keys when I attempted to log in via ssh. Seemed to be either computer, so I just quit. Maybe I should try again.

----------

## freke

 *Tony0945 wrote:*   

> Note also that root logins are no longer allowed. That's why I have masked sshd-7.0 and above.

 

That's just a matter of putting

```
PermitRootLogin yes
```

in /etc/ssh/sshd_config

----------

## Hu

 *freke wrote:*   

> That's just a matter of putting
> 
> ```
> PermitRootLogin yes
> ```
> ...

 True, but this is usually a bad idea.  If you do that, then remote users can attempt to log in as root using root's password, if password authentication is allowed.  If password authentication must be allowed for normal users, you should use PermitRootLogin no or PermitRootLogin without-password to disallow root or to restrict root to key-only authentication, respectively.

----------

## Moriah

My original question was about initial key exchange for a password login

This thread has been hijacked to the issue of stored keys  

That's not what I asked about.  I cannot login into an old machine using a password.  It never even gets as far as asking for the password, because the key exchange method to encrypt my password is not the same at both ends.

Can anybody address *THAT* question?

----------

## toralf

So, you didn't find anything here : http://www.openssh.com/legacy.html which helps ?

(took 2 sec to google that - it is the very first entry in the hit list)

----------

## NeddySeagoon

Moriah,

The password is not exchanged when you use key based login.

Its an encrypted challenge and encrypted response that are exchanged.

The password you enter is used to unlock your private key so that the encrypted response can be sent. 

The problem is that the two machines cannot agree on the encryption to be used for  the challenge/response phases.  

The remote box only offers diffie-hellman-group1-sha1.

Asking what ssh supports for key exchange gets me

```
$ ssh -Q kex

diffie-hellman-group1-sha1

diffie-hellman-group14-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha256

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

curve25519-sha256@libssh.org
```

which is listed.  Thats for 

```
$ ssh -V

OpenSSH_7.1p1-hpn14v9, OpenSSL 1.0.2d 9 Jul 2015
```

What version of the ssh client do you have and what key exchange methods are supported?

----------

## Moriah

Looks the same as yours:

```

moses ~ # ssh me@old.system.com

Unable to negotiate with 111.111.111.111: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

moses ~ # ssh -Q kex 

diffie-hellman-group1-sha1

diffie-hellman-group14-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha256

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

curve25519-sha256@libssh.org

moses ~ # ssh -V

OpenSSH_7.1p1-hpn14v9, OpenSSL 1.0.2d 9 Jul 2015

moses ~ # 

```

Very Strange.    :Shocked: 

----------

## Tony0945

 *Moriah wrote:*   

> 
> 
> moses ~ # ssh -Y me@xxx.yyy.zzz
> 
> Unable to negotiate with 999.999.999.999: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
> ...

 

No hijacking. That was your original post with bolding added. It was reasonable to assume that keys were the problem from the message and the fact that the most recent version of openssh dropped support for two key systems.

----------

## Moriah

I never said it was *deliberate* hijacking, really meant the topic drifted somewhat from my original problem.  I see now how it does look like it could be a key problem.  I did not give enough detail.    :Embarassed: 

----------

## freke

You have any KexAlgorithms  set in sshd_config?

ie. I have

```
KexAlgorithms   ecdh-sha2-nistp521,ecdh-sha2-nistp384
```

in /etc/ssh/sshd_config to only allow stronger (I hope) keys and I get the odd

```
[sshd] fatal: Unable to negotiate with 212.129.6.83: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
```

whenever someone tries to... forcebrute using keys? my ssh-server.

```
ssh -Q kex
```

is what the client supports I believe - not what the server supports.

Also http://serverfault.com/questions/158151/sshd-shuts-down-with-no-supported-key-exchange-algorithms-error suggests it could be permissions on the key-files(or 0bytes files)? (all files are root/root on my Gentoo)

----------

## Moriah

Neddy solved this one for me.  I had to specify an option to the ssh client so it would work with what the server had to offer.

----------

## NeddySeagoon

Moriah,

You can fix it in your ssh_config too, so you don't need the command line option.

Its your ssh client you need to fine tune.

freke suggested sshd_config, which will set the options for your sshd server.

Meanwhile, file a bug with the server operator and get them to update their sshd

----------

## toralf

 *Moriah wrote:*   

> Neddy solved this one for me.

 great. Now just please add a "[solved]" in front of this threat title  :Smile: 

TIA.

----------

## Moriah

I added SOLVED to the title of the thread.  I guess you didn't look...

----------

