When trying to establish a remote connection to a server using SSH, users may encounter the error message "Unable to negotiate with IP address: no matching cipher found." This problem usually occurs when the SSH client and server do not have any common cipher algorithm supported by both sides. In this article, we will focus on specific steps to resolve this error on the CentOS 7 operating system.
Cause of the problem
SSH (Secure Shell) uses encryption algorithms to secure communication between the client and server. When a client initiates an SSH connection, there is an exchange of the list of supported encryption algorithms. The "no matching cipher found" error indicates that there is no match between the cipher list of the client and server.
Solution to the problem
Step 1: Identify supported ciphers on the server
First, you need to determine which encryption algorithms are supported on the server. This can be achieved by running the following command on the server:
ssh -Q cipher
This command will output a list of ciphers supported by the SSH server.
Step 2: Identify supported ciphers on the client
Similarly, you need to find out which encryption algorithms the SSH client supports. Run the same command on the client:
ssh -Q cipher
Step 3: Modify SSH server configuration
After identifying the ciphers supported by both the server and the client, you need to modify the SSH server configuration file on CentOS 7 to ensure support for at least one common algorithm. Edit the /etc/ssh/sshd_config file on the server and explicitly add the supported ciphers. For example:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Add ciphers that are supported by both sides. After making the configuration change, restart the SSH service:
systemctl restart sshd
Step 4: Modify SSH client configuration (optional)
If changing the server-side configuration is not possible or you prefer to make the change on the client side, you can specify the encryption algorithm when running the SSH command using the -c option. For example:
ssh -c aes256-ctr user@server_address
This way, you can explicitly specify which encryption algorithm to use for the connection.
The "Unable to negotiate with IP address: no matching cipher found" error during SSH connection is usually caused by a mismatch in supported encryption algorithms between the client and server. The solution involves identifying and configuring supported ciphers on both sides. In this article, we have walked through the steps needed to resolve this problem on the CentOS 7 system.
