What to do if you get a “no kex alg” error?
There is allot of information on the internet on how to fix this with later releases of RedHat and other Linux’s, but none fixed my issue. I was going from a RedHat 5 Server running an older version of OpenSSH (4.3). There where suggestions to add -oKexAlgorithms=xxxxxx to the ssh command line but none of this would work since that version of OpenSSH doesn’t know what that option is. Also, I am running Cygwin on a Windows 10 platform so that has its own unique quality to it.
$ ssh -vvv firstname.lastname@example.org OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 ... debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: mac_init: found hmac-sha1 debug1: kex: client->server aes128-ctr hmac-sha1 none no kex alg
You will need to do a couple of changes to the /etc/sshd_config not ssh_config like some sites suggest. You will also need to create a local config file for ssh located here: “~/.ssh” The latter will provide you some individual user account control rather than global.
Edit the /etc/sshd_config file from Windows or within Cygwin. If you decide to edit the file within Cygwin you will need to launch a session as Administrator as show below. Right click on Cygwin Terminal:
[andy /etc]: vi /etc/sshd_config
At the very end of the file add the following, remember that older protocols are a potential security risk. Some of these options you may not need so you can add just what its complaining about if you like. Ideally upgrading OpenSSH on the Client side is the best option:
... Ciphers aes128-ctr,aes192-ctr,aes256-ctr HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
You will need to restart CYGWIN cygsshd service from Windows. Launch the “Task manager” >> Services >> cygsshd >> Restart
Once you restart the service you will be able to ssh into Cygwin from Older Version of RedHat or some other Vendor. You will also be able to use scp. If you run into an issue with “scp”
Now we go to client and test going back to our Cygwin session:
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.11 (Tikanga) $ ssh email@example.com Warning: Permanently added the RSA host key for IP address 'xxx.xxx.xxx.xxx' to the list of known hosts. Last login: Wed Apr 1 15:54:49 2020 from xxx.xxx.xxx.xxx $
Yippee it works! That’s it, thanks for tuning in…