This error occurs when your SSH client and server cannot agree on a compatible key exchange algorithm. Older servers may only support deprecated algorithms that modern SSH clients disable by default for security.
When SSH negotiates a connection, both the client and server exchange lists of supported cryptographic algorithms. This includes key exchange methods (KEX), host key types, ciphers, and MAC algorithms. For a successful connection, there must be at least one mutually-supported choice for each parameter. If the client and server are unable to agree on a mutual set of key exchange methods, the connection fails with "no matching key exchange method found." This commonly occurs when connecting to legacy systems (older network equipment, servers running very old SSH implementations) that only support weak algorithms like diffie-hellman-group1-sha1.
First, identify which key exchange algorithms the server is offering. Run SSH with verbose mode to see the negotiation:
ssh -vvv user@server 2>&1 | grep -A 5 "kex algorithm"Look for the line "Their offer:" which shows the server's available algorithms. Note the exact algorithm name (e.g., diffie-hellman-group1-sha1).
Check what algorithms your local SSH installation supports:
ssh -Q kex # Key Exchange Algorithms
ssh -Q key # Public key types
ssh -Q cipher # Ciphers
ssh -Q mac # MAC typesCompare the server's offers with your client's supported list to find a common algorithm.
Once you've identified a compatible algorithm from the server's offer, connect with that algorithm explicitly:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@serverNote the + prefix — this appends the deprecated algorithm to the default list rather than replacing them entirely.
If you get a second error about "no matching host key type found," also add:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa user@serverFor hosts you connect to regularly, add a permanent entry to ~/.ssh/config:
Host oldserver
Hostname 192.168.1.100
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsaReplace oldserver with a label for the host, 192.168.1.100 with the actual IP/hostname. The + prefix means these algorithms are added to the default list.
For global defaults that apply to all hosts (not recommended), edit /etc/ssh/ssh_config (system-wide) with the same lines.
The best long-term solution is to update the server's SSH implementation. If you control the server, upgrade OpenSSH:
On Linux/Unix:
# For apt (Debian/Ubuntu)
sudo apt update && sudo apt upgrade openssh-server
# For yum (RHEL/CentOS)
sudo yum update openssh-serverFor network equipment (switches, routers, firewalls), check the vendor's security patches and firmware updates.
After upgrading, test the connection without the -oKexAlgorithms override.
Security Considerations: Enabling deprecated algorithms like diffie-hellman-group1-sha1 weakens security. DH group 1 only uses 768-bit keys, which modern cryptanalysis can break. Use these algorithms only as a temporary workaround for legacy systems you're actively trying to upgrade.
Why Modern OpenSSH Disables These: Newer versions of OpenSSH (7.0+) removed support for weak algorithms by default to prevent downgrade attacks. Even though your client may support them internally, you must explicitly re-enable them, which is an intentional friction point to discourage their use.
For Server Administrators: If you manage a server, edit /etc/ssh/sshd_config to add algorithms only if necessary. Restart with sudo systemctl restart sshd. The same security cautions apply — upgrade when possible.
SSH Protocol Details: SSH negotiation happens during the initial handshake before authentication. Both sides must have at least one algorithm in common for each category. The client always proposes first, and the server picks the first match from its preferred list.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH