Incredigeek

How To Fix no matching cipher found. Their offer: aes128-cbc,3des-cbc…

Posted on January 14, 2020 by admin

When trying to SSH to older devices like a Ubiquiti Bullet2, you may receive an error saying

no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc

The work around is to manually specify the cipher with the “-c” option. You will also probably need to specify the KexAlgorithm “Key Exchange Algorithm”

ssh -c aes128-cbc -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.20

You can see what ciphers SSH supports by running “ssh -Q cipher”

Example output

ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

More information
https://www.openssh.com/legacy.html

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Posted on December 5, 2019 by admin

Work around is to use the -o option and specify KexAlgorithms with the correct option.

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.11.1

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0#340853

List of errors from devices

The following are errors that are returned when trying to ssh to a device.

Cambium 450i PMP Equipment

Unable to negotiate with 192.168.0.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1