Accessing Cisco devices from native ssh tools often generators an error due to mismatched key exchanges. This will fix that issue.
Issue
Unable to access Cisco-based devices via native ssh command due to no matching key exchange found.
~ » ssh admin@ciscodevice
Unable to negotiate with 1.1.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,[email protected]
Verification
Check to see if diffie-hellman-group14-sha1 and are enabled. You can see below that diffie-hellman-group14-sha1 is listed, but kex-strict-s-v00\@openssh.com is not.
~ » ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]
Cause
The kex cipher is not enabled by default in OpenSSH.
Workaround
Enable the required exchanges using command line parameters.
ssh -o KexAlgorithms=diffie-hellman-group14-sha1 admin@ciscodevice
Resolution
Enabled the required exchanges in the OpenSSH machine-wide config.
sudo nano /etc/ssh/ssh_config
## scroll to end of file, add this line
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
## ctrl-x and save the file.