What to do if you get a “no kex alg” error?
There is allot of information on the internet on how to fix this with later releases of RedHat and other Linux’s, but none fixed my issue. I was going from a RedHat 5 Server running an older version of OpenSSH (4.3). There where suggestions to add -oKexAlgorithms=xxxxxx to the ssh command line but none of this would work since that version of OpenSSH doesn’t know what that option is. Also, I am running Cygwin on a Windows 10 platform so that has its own unique quality to it.
$ ssh -vvv andy@cygwin.host
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
...
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_init: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no kex alg
You will need to do a couple of changes to the /etc/sshd_config not ssh_config like some sites suggest. You will also need to create a local config file for ssh located here: “~/.ssh” The latter will provide you some individual user account control rather than global.
Edit the /etc/sshd_config file from Windows or within Cygwin. If you decide to edit the file within Cygwin you will need to launch a session as Administrator as show below. Right click on Cygwin Terminal:
[andy /etc]: vi /etc/sshd_config
At the very end of the file add the following, remember that older protocols are a potential security risk. Some of these options you may not need so you can add just what its complaining about if you like. Ideally upgrading OpenSSH on the Client side is the best option:
...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
You will need to restart CYGWIN cygsshd service from Windows. Launch the “Task manager” >> Services >> cygsshd >> Restart
Once you restart the service you will be able to ssh into Cygwin from Older Version of RedHat or some other Vendor. You will also be able to use scp. If you run into an issue with “scp”
Now we go to client and test going back to our Cygwin session:
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
$ ssh andy@cygwin.host
Warning: Permanently added the RSA host key for IP address 'xxx.xxx.xxx.xxx' to the list of known hosts.
Last login: Wed Apr 1 15:54:49 2020 from xxx.xxx.xxx.xxx
$
Yippee it works! That’s it, thanks for tuning in…
It’s Just Bytes... 