When attempting to SSH into an older server using macOS, you may receive a ssh error message that reads something like:
Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
For a successful connection, OpenSSH must have at least one mutually-supported choice for each parameter. If the client and server fail to agree on a mutual set of parameters then the connection will fail. In this case, the client and server were unable to agree on the key exchange algorithm. The server offered diffie-hellman-group1-sha1 which is supported by OpenSSH but no longer enabled by default. It is considered weak and within theoretical range of the Logjam attack.
There are a couple ways to resolve this...
Easiest Solution
Step One
Reattempt your SSH connection, adding the following to your command line:
-oKexAlgorithms=+diffie-hellman-group1-sha1
ie. ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 username@123.123.123.123
Alternatively, you can follow these steps to make the option permanent...
Permanent Solution
Step One
Open a new Terminal window.
Step Two
Type sudo nano ~/.ssh/config, then enter your administrative password if prompted.
Step Three
Add the following lines to the config file, replacing 123.123.123.123 with the IP of the server you are connecting to.
Host 123.123.123.123
KexAlgorithms +diffie-hellman-group1-sha1
Step Four
Press Control+X to exit. Input Y when asked to ask save modified buffer.
Hit Return to confirm the file name to write.
Step Five
Now you can SSH into your server as normal.
ssh username@123.123.123.123
