ssh error: unable to negotiate with IP: no matching cipher found

Profile image of Mattias Geniar

Mattias Geniar, September 24, 2018

Follow me on Twitter as @mattiasgeniar

I have a pretty old Synology NAS at home that I use for some basic file storage. I also abuse it as a cron-server, doing some simple rsync’s from remote systems. When I last tried to SSH into it, I was greeted with this error.

No matching ciphers found

$ ssh admin@nas.home
Unable to negotiate with port 22: no matching cipher found.
  Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Turns out my clients’ SSH was updated and was blocking several insecure ciphers by default. And this Synology runs an ancient SSH daemon, that only supports those ancient outdated ciphers.

Force a set of ciphers your client supports

To check which ciphers your client supports, run this:

$ ssh -Q cipher

In this list are several ciphers that are supported by my ancient SSH server as well as the client, they’re just blocked by default on the client. Things like 3des-cbc, aes128-cbc, aes256-cbc, … etc.

To enable those ciphers anyway, you can force their use with the -c parameter.

$ ssh -c aes256-cbc admin@nas.home

This will re-allow access to that ancient SSH server.

Now to find a way to upgrade the SSH daemon on that Synology without breaking it …

Update: recent versions of Synology allow you to change this

If your Synology is up-to-date, you can navigate to the Controlpanel > Terminal & SNMP > Advanced Settings.

Synology advanced SSH settings

In there, pick the High advanced settings for the encryption algorithm.

Synology advanced SSH settings

Now give it a try again!

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.