SSH Error: Unable to negotiate. No matching cipher found.

Introduction

If you are getting error similar to this “Unable to negotiate with X.X.X.X port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc” you might want to read this post to understand the problem and see how you can solve it. I’m using Linux Mint but this article is applicable to any other Linux distribution.

Error Description

The error you are getting means that the SSH server you are connecting to uses some old insecure ciphers which are not considered secure by your SSH client. This might be annoying, but from security perspective this is a good thing, because it prevents you from using weak(old) encryption and being vulnerable to various attacks.

This is the error I’m getting when I’m trying to connect to my old Cisco router(192.168.2.50):

The router is trying to negotiate one of the weak protocols and my SSH client does not like it and therefore quits.

Your SSH client most probably still supports the ciphers offered by the server, but just blocks them. We will see how to enable those ciphers on the client side, but it is strongly recommended to upgrade your SSH server and its ciphers to modern ones. Making weak(old) ciphers work on a modern SSH client is just a quick fix and should not be considered as a permanent solution.

Supported ciphers on the client side

Let’s check which ciphers are supported by my SSH client. Run the following command ssh -Q cipher:

As you can see from the output above my SSH client supports 3des-cbc, aes128-cbc, aes192-cbc and aes256-cbc. Those ciphers were offered by the server , but rejected by the client, because they are not modern and secure enough.

Enable weak cipher on the client

Let’s override the default behavior and force the SSH client to use the weak cipher. The following command will initiate SSH connection to 192.168.2.50 using aes256-cbc encryption ssh -c aes256-cbc admin@192.168.2.50:

Now, the client is not throwing any errors, because it was explicitly told to use aes256-cbc cipher.

Conclusion

Thank you for reading. Hope this article helped you 🙂

Tags:,

Add a Comment

Your email address will not be published. Required fields are marked *