Sep 142015
 

If you run ancient operating system with an old version of SSH client then you are going to hit this “No Kex Alg” problem soon.

have u tried

For example Solaris 9

$ ssh -Vxx
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f

So what a hell is it? What’s causing it? Well, modern operating system like Debian Jessie are packaged with OpenSSH 6.7 or newer  – and Openssh 6.7 disables a number of ciphers, as per changelog http://www.openssh.com/txt/release-6.7  As Russel rightly pointed out in comments section below ‘”kex” is “key exchange”.x

 

So it’s time to upgrade your client! However, if for some bizarre reasons those pesky sysadmins are refusing to upgrade client software then that leaves you with two options:

  • if you have physical access to client simply spill coffee or some other beverage on it (alright, just joking)
  • or edit /etc/ssh/sshd_config on the server, append the following line and restart sshd daemon
KexAlgorithms diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

 

Now your old client should be able to connect to server plus you have successfully created security vulnerability on your machine. How exciting!

If you’re still dying to know what mechanisms your system supports run:

ssh -Q cipher
ssh -Q mac
ssh -Q kex

I know more about ssh ciphers, macs, kex now that I ever wanted to know.


 

  3 Responses to “no kex alg”

  1. Ha ha… yet I laugh with real joy.. since I have *finally* jailbroken my iPad and have just logged into it from one of my Linux boxes …! I got the Cydia stuff running on the iPad, and first install was OpenSSH package, but coming from an old Windows-XP box, with “ssh”, all I could get was this goofy “no kex alg” message.. – hmmm now to decode the linux-crypto-msg…? “no” is easy, probably means “no, you dumbguy!”… “kex” sounded like an ancient breakfast cereal, but “alg” – now that’s gotta be short for “algorithm” (finance hackers use “algo”, so pretty close, eh? .. ) but “kex” had me stumped. Now what could that be??
    Of course, my SSH client on the winbox is ancient (and the iPad is Gen-0, from the days when Steve Jobs was still on earth), so probably it was an unsupported algo which my ancient winbox ssh used, but now is compromised and easy to hack? Am I getting a bit warm here?
    Anyway, your webpage was really helpful. Thanx for taking the time to publish it.
    I suppose a modern version of PuTTY might work? What I find really impressive, is that I can login to my old iPad version 1, and from a terminal session window on a CentOS Linux box, enter “ls -l –col”, and get a directory list with colour codings…
    … Ok, I just tried it.
    My Winbox “ssh” returns “no kex alg”, but old PuTTY with Blowfish and triple DES seems to work.
    THere. I can login to the *unix O/S running on my iPad, from my Windows-XP session, using an old version of PuTTY.
    Just one dumb question: What the heck does “Kex” mean?
    (I suppose I will have to break down, and actually look at the OpenSSH release notes, eh? )
    – Rus

  2. Of course.. ‘”kex” is “key exchange”.

  3. Thank you!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)