ssh error: unable to negotiate with IP: no matching cipher found

Mattias Geniar, Monday, September 24, 2018

I have a pretty old Synology NAS at home that I use for some basic file storage. I also abuse it as a cron-server, doing some simple rsync's from remote systems. When I last tried to SSH into it, I was greeted with this error.

$ ssh admin@nas.home
Unable to negotiate with port 22: no matching cipher found.
  Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Turns out my clients' SSH was updated and was blocking several insecure ciphers by default. And this Synology runs an ancient SSH daemon, that only supports those ancient outdated ciphers.

To check which ciphers your client supports, run this:

$ ssh -Q cipher

In this list are several ciphers that are supported by my ancient SSH server as well as the client, they're just blocked by default on the client. Things like 3des-cbc, aes128-cbc, aes256-cbc, ... etc.

To enable those ciphers anyway, you can force their use with the -c parameter.

$ ssh -c aes256-cbc admin@nas.home

This will re-allow access to that ancient SSH server.

Now to find a way to upgrade the SSH daemon on that Synology without breaking it ...

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!


ray.chan Thursday, December 27, 2018 at 17:28 - Reply

Thanks, had exact same issues sshing to my synology nas, your solution helped

Tony Sunday, January 6, 2019 at 02:04 - Reply

Thank You! Solved my issue with connecting to an old Cisco 1841 router via OpenSSH.

Nick Cupery Friday, January 11, 2019 at 21:11 - Reply

Thank you!

Nick Cupery Friday, January 11, 2019 at 21:17 - Reply

I did some additional research on this and found the following guidance:

You can edit the SSH Configuration file to allow the older ciphers…

sudo nano /etc/ssh/ssh_config

Find the string:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Uncomment it and your ssh will work as usual.

Jonathan Wednesday, March 13, 2019 at 20:38 - Reply

Try with this, it worked for me.

ssh admin@nas.home -c 3des-cbc

Kisarigi Tuesday, April 9, 2019 at 10:08 - Reply

it really worked…
Thank you!

NKD Wednesday, April 17, 2019 at 22:39 - Reply

Thank you. It was useful for me.

hangnguyen Wednesday, May 8, 2019 at 12:10 - Reply

THank you!
it really worked :)

hangnguyen Wednesday, May 8, 2019 at 12:11 - Reply

THank you!
it really worked :

carlos Tuesday, May 21, 2019 at 20:51 - Reply

Muchas gracias , justo lo que buscaba.

serviplus Friday, August 23, 2019 at 19:26 - Reply

Thank’s I’m really appreciate it…!!

E Tuesday, September 17, 2019 at 17:37 - Reply

thank you it worked!!!

Leave a Reply

Your email address will not be published. Required fields are marked *