...
Failed to Test Connection for "Node": Unable to negociate with 11.11.11.11 port X: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
opConfig makes use of the OpenSSH client as the root user therefor you can adapt some of it's behaviours by modifying /root/.ssh/config . Note: the only thing, it does not use is the ssh keys from the /root/.ssh folder, as the keys are saved in the database and a temporary file is created to get the connection
OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, but since some of the older algorithms have been found to be weak, not all of them are enabled by default. This page describes what to do when OpenSSH refuses to connect with an implementation that only supports legacy algorithms.
...
For the case of the above error message, OpenSSH can be configured to enable the diffie-hellman-group1-sha1 key exchange algorithm (or any other that is disabled by default) using the KexAlgorithms option, either on the command line.
To test what key exchanges will work you can use the Command Line:
| Code Block |
|---|
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost |
or in the ~Then to enable opConfig to make use of these changes one can edit the /root/.ssh/config file and add exceptions for particular hosts:
The Host entry does accept wildcards e.g. Host *.com.au see PATTERNS section in "man ssh_config"
| Code Block |
|---|
Host somehost.example.org KexAlgorithms +diffie-hellman-group1-sha1 |
We need to update the ssh If you change the remote servers ssh server settings (/etc/ssh/sshd_config) to accept the desired key exchange, remember you need to restart the sshd service (On the server where the weaker crypto algorithm was allowed in ~/.ssh/configin):
| Code Block |
|---|
restart sshd.service |
...