[rancid] Unable to negotiate with .... no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Sebastien.Boulianne at cpu.ca Sebastien.Boulianne at cpu.ca
Tue Apr 5 20:13:34 UTC 2016


A special thanks you to Érick for the fix. ;)
I confirm it works as a charm!

Thanks!

Sébastien
De : Eric Krichbaum [mailto:erick at bboi.net]
Envoyé : 5 avril 2016 15:18
À : Sebastien Boulianne <Sebastien.Boulianne at cpu.ca>
Objet : [rancid] Unable to negotiate with .... no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

The problem isn't the cipher as much as the key exchange.  Newer open ssh dropped support (by default) for "insecure" key exchanges (SHA1) which are all that are supported by older ios/etc. gear.

I've been updating code on boxes where possible to eliminate this issue but it's really an easy fix.

In /etc/ssh/ssh_config:

Host *
        GSSAPIAuthentication yes
        KexAlgorithms +diffie-hellman-group1-sha1

That will add the old kex to your ssh (outbound) and should work ok.

Eric


[https://ipmcdn.avast.com/images/2016/icons/icon-envelope-open-tick-round-orange-v1.png]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>

Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20160405/ad76b288/attachment.html>


More information about the Rancid-discuss mailing list