# unable to negotiate ssh to old Linux



## bangmyhead (Sep 19, 2022)

Hello, I am trying to do ssh to and old Linux RedHat and I got this.



```
Unable to negotiate with 15.1.1.15 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
```

Any way to fix this permanent?


----------



## richardtoohey2 (Sep 19, 2022)

See e.g. https://github.com/gogs/gogs/issues/6638


----------



## DutchDaemon (Sep 19, 2022)

Also: look for *KexAlgorithms *in ssh_config(5). If you find something that works, make it permanent in ~/.ssh/config


----------



## Phishfry (Sep 19, 2022)

OpenBOX - [solved] can't connect to LXDE anymore with a standard user
					

Hello everybody.  Since Wednesday, I can't login to LXDE anymore with a standard user: a black screen is shown: "starting openbox session". With the root user, the connection is possible.  In /var/log/messages the message is: Apr  8 12:45:22 bortzy ntpd[891]: ntpd 4.2.8p12-a (1): Starting Apr  8...




					forums.freebsd.org


----------



## VladiBG (Sep 19, 2022)

you can use `ssh -o KexAlgorithms=diffie-hellman-group1-sha1 user@15.1.1.15` to connect but first verify if your client system support it using `ssh -Q kex`


----------



## bangmyhead (Sep 19, 2022)

This one worked
`#  ssh -c aes128-cbc -oKexAlgorithms=+diffie-hellman-group1-sha1 root@15.1.1.15`


----------



## Phishfry (Sep 19, 2022)

DutchDaemon said:


> If you find something that works, make it permanent in ~/.ssh/config



This file was news to me. I assume you generate it and add the host like this:
15.1.1.15 aes128-cbc diffie-hellman-group1-sha1
<address> <cipher> <cipher_auth>

This is similar layout to /user/.ssh/known_hosts without the key.

My though was /etc/ssh/ssh_config to enable the ciphers but a single exception makes much more sense.
Big clue bat on the manpage too. #2 and #3


----------



## SirDice (Sep 19, 2022)

Phishfry said:


> This file was news to me. I assume you generate it and add the host like this:
> 15.1.1.15 aes128-cbc diffie-hellman-group1-sha1


It's the same format as ssh_config(5):

```
host <hostname>
  <settings>
```
You typically want to match on both the hostname and the IP address (in case DNS is screwed up). 


```
ssh(1) obtains configuration data from the following sources in the
     following order:

           1.   command-line options
           2.   user's configuration file (~/.ssh/config)
           3.   system-wide configuration file (/etc/ssh/ssh_config)
```

I often use that ~/.ssh/config to create 'aliases':

```
Host jenkins
  HostName jenkins001.some.domain.tld
  User special_user
```
Now I can just do `ssh jenkins` without having to remember the username and complete hostname. Or set some timeout values, which is useful if there are firewalls in your path:

```
Host *
        ServerAliveInterval 10
        ServerAliveCountMax 2
```


----------

