There’s a lot of questions about the following error, but they all have same solution which did not have any effect:
$ git push
Unable to negotiate with 192.168.XXX.XXX: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
There is an article on openssh.com that didn’t help. Particularly this was suggested:
… in the ~/.ssh/config file:
Host somehost.example.org KexAlgorithms +diffie-hellman-group1-sha1
I did exactly that. I assume that ~
resolves to %userprofile%
on windows. My file is in C:\Users\MY_USERNAME\.ssh\config
:
## use kex algorithm ##
Host 192.168.XXX.XXX
KexAlgorithms diffie-hellman-group1-sha1
The result is that nothing changed. There is also suggestion to use ssh -o
but I’m yet to find an answer that bothers to describe how exactly yo do that. I tried this:
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
I need to connect to that GIT repository. I am on windows. The repository uses Gerrit. I also use SourceTree and it has no problems pushing into the repository. So the repository works, but git or openSSH in my bash is broken.
What did I do wrong that this solution didn’t work for me?
There’s a lot of questions about the following error, but they all have same solution which did not have any effect:
$ git push
Unable to negotiate with 192.168.XXX.XXX: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
There is an article on openssh.com that didn’t help. Particularly this was suggested:
… in the ~/.ssh/config file:
Host somehost.example.org KexAlgorithms +diffie-hellman-group1-sha1
I did exactly that. I assume that ~
resolves to %userprofile%
on windows. My file is in C:\Users\MY_USERNAME\.ssh\config
:
## use kex algorithm ##
Host 192.168.XXX.XXX
KexAlgorithms diffie-hellman-group1-sha1
The result is that nothing changed. There is also suggestion to use ssh -o
but I’m yet to find an answer that bothers to describe how exactly yo do that. I tried this:
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
I need to connect to that GIT repository. I am on windows. The repository uses Gerrit. I also use SourceTree and it has no problems pushing into the repository. So the repository works, but git or openSSH in my bash is broken.
What did I do wrong that this solution didn’t work for me?
If not using Putty, you could use the
Windows Subsystem for Linux (WSL)
and use the ssh client from there.
However, since Windows 10 build 1803 April 2018, Windows now includes by default
openSSH for Windows.
The executable is found in C:\Windows\System32\OpenSSH\ssh.exe
, and you can
even find in this folder the programs scp.exe
and sftp.exe
.
A way of making this even more functional for daily use is creating what is
called in Linux «aliases».
The first time that you attempt to SSH to a remote server, a hidden .ssh
directory will be created in your home directory at C:\Users\Username\.ssh
.
You may create in this directory a file called config
.
Here’s a theoretical example of a config
file:
Host ssh-server-name
KexAlgorithms +diffie-hellman-group1-sha1
User xxxxxxxx
Hostname xxxxxxxxx
In this article will discuss about Weak SSL/TLS Key Exchange vulnerability in windows server operating system.
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are implemented by Schannel, an Internet Security Support Provider (SSP).
Diffie-Hellman (DH) Algorithm is a key-exchange protocol for two parties communicating over a public channel, enabling them to establish a secret without having it transmitted over the Internet. Using symmetric cryptography, the two parties are able to encrypt and decrypt their communication or data using a public key.
During the SSL/TLS handshake, the Cipher Suite is used to negotiate security settings.
Cipher suites are named combinations of:
- Key Exchange Algorithms: RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman Ephemeral, Diffie-Hellman Ephemeral, Elliptic Curve Diffie-Hellman Ephemeral, pre-shared key
- Authentication/Digital Signature Algorithms: RSA algorithm (Rivest-Shamir-Adleman) Elliptic Curve Digital Signature Algorithm, Digital Signatures Algorithm
- Bulk Encryption Algorithms (Advanced Encryption Standard, Camellia, ARIA)
- Message Authentication Code Algorithms (SHA-256, POLY1305)
Weak SSL/TLS Ciphers
TLS uses the Diffie-Hellman key exchange as one of its encryption cipher suites.
The protocols Secure Socket Layer and Transport Layer Security are used to provide security between web browsers and web servers. The primary distinction between Secure Socket Layer and Transport Layer Security is that in SSL (Secure Socket Layer), the message digest is used to generate a master secret, and it provides the basic security services of authentication and confidentiality. TLS (Transport Layer Security) uses a pseudo-random function to generate a master secret.
In windows server 2012r2 operating system found severity 4 vulnerability called Weak SSL/TLS Key Exchange since it is using 1024-week Diffie-Hellman key exchange Algorithm. Below are the details
THREAT:
Key exchanges that are cryptographically weaker than recommended are supported by the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) server. For Diffie Hellman and RSA key exchanges, key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits.
IMPACT:
As a result, the effect is an attacker with enough computational power could recover the session key and decrypt the session content.
SOLUTION:
For Diffie Hellman and RSA key exchanges, the SSL (Secure Socket Layer) /TLS (Transport Layer Security) server configuration should only allow strong key exchanges and key exchanges should provide at least 224 bits of security.
In every window operating system by default SCHANNEL inbuilt feature is existing to protect the machine from cyber-attack.
SSL/TLS key exchange
Weak SSL/TLS Key Exchange when a TLS client connects to a TLS server, the client negotiates a mutually available encryption suite to use. The client lists its available cipher suites, the server responds, and the client chooses the most secure, mutually available one.
Login into windows machine search for Windows Registry and run as administrator.
minimum key size of 2048 bits for Diffie Hellman
Below is path to add diffi-hellman key in Windows Registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
Create a new DWORD (32-bit) Value and add below parameters
Value name : ServerMinKeyBitLength
Value date : 00000800
Base : Hexadecimal
It is recommended that you reboot your machine after performing the above changes.
In other hand you could disable TLS 1.0 and TLS 1.1 vulnerabilities in windows.
Conclusion:
Diffie Hellman and RSA key exchanges has been added to KEY-SIZE 2048 at the operating system level. Weak SSL/TLS Key Exchange issue has been fixed successfully. Please let me know if you have any question about Weak SSL/TLS Key Exchange topic.
После обновления SSH до новой версии (7.0), при попытке подсоединиться к моему серверу при помощи SSH, Я получаю следующее сообщение:
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Чем вызвана эта проблема
В OpenSSH 7.0 алгоритм ключа diffie-hellman-group1-sha1
по умолчанию выключен, потому что он слаб и в теории подвержен Logjam атаке. Смотрите страницу www.openssh.com/legacy.html для получения дополнительной информации.
Если клиент и сервер не могут договориться о взаимном наборе параметров, то соединение не будет установлено. OpenSSH (7.0 и выше) покажет такое сообщение об ошибке:
Unable to negotiate with host: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
В этом случае клиенту и серверу не удалось согласовать алгоритм обмена ключами, поскольку сервер предложил только один метод diffie-hellman-group1-sha1
.
Как это исправить
Лучшим решением для разрешения этой ситуации будет обновление/настройка сервера для того, чтобы не использовать устаревшие алгоритмы. Если же это невозможно, то можно заставить клиента снова включить алгоритм обмена ключами diffie-hellman-group1-sha1
с помощью -oKexAlgorithms=+diffie-hellman-group1-sha1
опции в командной строке:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@host
или в файле ~/.ssh/config
:
Host somehost.example.org
KexAlgorithms +diffie-hellman-group1-sha1
Если эта статья помогла вам, пожалуйста, оставьте комментарий
Спасибо за прочтение!