Welcome, Guest. Please login or register.

Author Topic: latest ssh and "diffie-hellman-group1-sha1" cypher no more accepted  (Read 1235 times)


  • Sr. Member
  • ****
  • Posts: 265
    • View Profile
I've just update OS version on one of my NeDi server, running Debian, going to Debian 9.
In the meanwhile I did a brand new installation of latest "community" Nedi, i.e. 1.5.225.
But discovered that NeDi was no mora able to CLI access my switches because access is only by ssh, telnet was disabled for security reasons.
Doing a test using SSH from server console I saw this response: "no matching key exchange method found. Their offer: diffie-hellman-group1-sha1"
Looking around saw that this cyphering is more or less deprecated ad disabled by default in OpenSSH.
A common workaround suggested is to add "-oKexAlgorithms=+diffie-hellman-group1-sha1" to ssh command line.
There is no option in nedi.conf to add this, so I changed line 639 in file /var/nedi/inc/libcli.pm from
"my $known = "-o 'StrictHostKeyChecking no'";"
"my $known = "-o 'StrictHostKeyChecking no' -oKexAlgorithms=+diffie-hellman-group1-sha1";"

Now NeDi can access again my (Cisco) device by CLI.

Maybe not the best solution...

Any advice is welcome!


  • Jr. Member
  • **
  • Posts: 82
    • View Profile
Re: latest ssh and "diffie-hellman-group1-sha1" cypher no more accepted
« Reply #1 on: July 03, 2017, 10:13:44 AM »
i had the same issues.

i added the diffie-hellman-group1-sha1 to my /etc/ssh/ssh_config config