SSH connection through tunnel unable to negotitate error

Question

I am using an SSH tunnel to establish an SSH connection to a device, I am creating the tunnel with:

ssh -L localhost:44445:X.X.X.X:XXXX [email protected]

However when I try to ssh through the tunnel with:

ssh root@localhost:44445 
Unable to negotiate with 127.0.0.1 port 44445: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

However, if I move the same machine into the same network where my device is and I try to connect directly to the device - hence without using the SSH tunnel -connection is successful.

I can connect using the following option when running the SSH client through the tunnel, however I need to be able to connect without that.

-o KexAlgorithms=+diffie-hellman-group14-sha1

Funny enough I can connect using the ProxyJump option - that works fine however it is not what I want as I need to use a tunnel to be used by a 3rd party app.

ssh -J [email protected] [email protected]

Answer 1

Your other machine most likely has either an older version of the OpenSSH client that didn't yet refuse to use the old DH algorithms by default (the list of "acceptable" algorithms has changed over time), or a different SSH client entirely (e.g. PuTTY is much less strict in that regard).

If you merely need to connect without modifications to the command, then you can add the same SSH options to your ~/.ssh/config. In fact, you can even define the whole tunnel there:

1. ~/.ssh/config
   
   Host mydevice
       JumpHost mytunnel
       HostName yyyy
       Port zzz
       KexAlgorithms +diffie-hellman-group14-sha1
   
   Host mytunnel
       HostName x.x.x.x
       User root

2. $ ssh mydevice

If that's not an option, use a different SSH client, such as PuTTY:

• $ plink root@localhost -P 44445

And if you need to connect without any modifications to the SSH client, the only realistic option is to upgrade the SSH server so that it supports newer algorithms.

Answer 2

I agree with @u1686_grawity: but maybe the problem is related to the SSH established with the tunnel machine and not with the final device. Rewriteing a bit your command

ssh -L localhost:44445:<finalDeviceIP>:<port> root@<tunnelMachineIP>

You said

if I move the same machine into the same network where my device is and I try to connect directly to the device - hence without using the SSH tunnel -connection is successful

hence, the ssh connection to <finalDeviceIP> works fine. However, when you goes by <tunnelMachineIP> you get the error since (probably) that machine has a too old ssh version.
In the tunnel connection indeed, the first ssh session is established with <tunnelMachineIP>, which then, as you said, wrap and unwrap the payload for the second ssh session you want to esatblish with <finalDeviceIP>.
As @u1686_grawity suggested, you should update the ssh server onboard the <tunnelMachineIP>. Or you can setup the tunnel inside the ssh config file of your client (even if probably you should move the option KexAlgorithms +diffie-hellman-group14-sha1 under the Host mytunnel section).