MacOS No Longer Allowing You to SSH to Older Devices?

If you are you seeing error messages like

Unable to negotiate with "xxx" port "xxx": no matching cipher found. Their offer: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192-cbc, aes256-cbc, rijndael-cbc @ serve<em>r

You can either upgrade the SSH server to support these newer, more secure, algorithms or you can enable these older ciphers on your Mac by performing the following:

sudo nano /etc/ssh/ssh_config

Find the section beginning with and remove the leading # to uncomment these disabled ciphers

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Another option is to edit the per user ssh configuration file like this

nano ~/.ssh/config

Host *
SendEnv LANG LC_*
Ciphers +aes256-cbc

macOS Sierra SSH Client

If you’ve upgraded to macOS Sierra you may have seen the following error message when attempting to use the builtin in SSH client to connect to certain SSH servers:

Mac:~ user$ ssh admin@
Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-rsa

This issue is caused by a change introduced by the version of OpenSSH (version 7.2) that is included with macOS Sierra. In OpenSSH version 7.x certain older security algorithms are disabled by default which generates the error message above. The fix is to either update the SSH server settings or simply change the configuration on your computer to allow the less secure algorithms by editing /etc/ssh/ssh_config and adding the following two lines to the end:

HostkeyAlgorithms +ssh-dss
KexAlgorithms +diffie-hellman-group1-sha1

Thanks to for a quick write up on this!

After you save this file all should be well. I would recommend you research how to correct the underlying configuration the SSH server as more security is usually a good thing 🙂