SSH client and server cannot agree on an encryption algorithm. This occurs when connecting newer SSH clients to legacy servers, or when ciphers are disabled for security reasons.
This error means the SSH client and server cannot negotiate a common cipher (encryption algorithm) that both support. SSH requires both sides to agree on which encryption method to use for the connection. When they cannot find a match, the connection fails. This typically happens when one side has disabled older, less secure ciphers, or when there's a significant version mismatch between the client and server.
First, see what ciphers your SSH client supports:
ssh -Q cipherThis lists all available ciphers in priority order. Your system likely supports modern ciphers like aes256-ctr, aes128-ctr, or [email protected].
Attempt to connect using one of the modern ciphers supported by both client and server:
ssh -c aes256-ctr user@hostname
ssh -c aes128-ctr user@hostname
ssh -c [email protected] user@hostnameIf one of these works, you've found a compatible cipher.
If you need to connect regularly, add the server to your SSH config file at ~/.ssh/config:
Host problematic-server
HostName hostname.example.com
User yourusername
Ciphers aes256-ctr,aes128-ctrThis allows seamless connections without specifying the cipher each time.
The best long-term solution is upgrading OpenSSH on the server:
Ubuntu/Debian:
sudo apt update
sudo apt upgrade openssh-serverCentOS/RHEL:
sudo yum update openssh-servermacOS:
brew upgrade opensshAfter upgrading, restart the SSH service:
sudo systemctl restart sshdIf upgrading immediately isn't possible, you can temporarily re-enable deprecated ciphers on the server by editing /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_configAdd or modify the Ciphers line:
Ciphers aes256-cbc,aes192-cbc,aes128-cbc,aes256-ctr,aes128-ctrThen restart SSH:
sudo systemctl restart sshd⚠️ Warning: Only enable legacy ciphers as a temporary fix. Older ciphers have known weaknesses. Upgrade the server as soon as feasible.
Modern OpenSSH versions (7.0+) disable weak ciphers by default for security. Ciphers like DES, 3DES, and RC4 are no longer available. If you control both systems, upgrade both to the same recent version of OpenSSH and use modern ciphers like ChaCha20-Poly1305 or AES-GCM. For enterprise environments, use Mozilla's OpenSSH hardening guidelines which recommend: [email protected], ecdh-sha2-nistp256, and [email protected] as key exchange and cipher algorithms. Rootless containers and isolated network environments may also enforce stricter cipher policies.
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation
How to fix "sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation" in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
No more authentication methods to try.
How to fix "No more authentication methods to try." in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH