0
OpenSSH Server v10.0 - Possible cipher incompatibilties with clients or libraries
The OpenSSH Team released Version 10.0 of OpenSSH on 2025-04-09. This Release introduces some changes in valid authentication ciphers for the key exchange. This could posibly lead to an issue if you use up to date rolling release linux distributions like Archlinux.
Mainly the key exchange ciphers beginning with "diffie-hellman-group*" and "diffie-hellman-group-exchange-*" ciphers were removed from the default set of enabled ciphers.
So if you are encounter problems connecting to one of your or other servers, this could be an issue when using a client or library which does not support the new default set of ciphers. I faced the problem with some Android Apps like Solid Explorer FIlemanager with a current OpenSSH server.
If you face such problems, first check your server journal/logs, you will possibly see messages like this from your sshd daemon:
To support such incompatible clients, and as a temporary workaround until an update for the incompatible client is released you can alter your sshd_config and add one or more supported ciphers by the client to the default set of ciphers
For example:
To see which ciphers can be added to the list on your system, issue the following command on a console
See detailed changelog:
https://www.openssh.com/txt/release-10.0
Mainly the key exchange ciphers beginning with "diffie-hellman-group*" and "diffie-hellman-group-exchange-*" ciphers were removed from the default set of enabled ciphers.
So if you are encounter problems connecting to one of your or other servers, this could be an issue when using a client or library which does not support the new default set of ciphers. I faced the problem with some Android Apps like Solid Explorer FIlemanager with a current OpenSSH server.
If you face such problems, first check your server journal/logs, you will possibly see messages like this from your sshd daemon:
Unable to negotiate with X.X.X.X port XXXX : no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1 [preauth]To support such incompatible clients, and as a temporary workaround until an update for the incompatible client is released you can alter your sshd_config and add one or more supported ciphers by the client to the default set of ciphers
For example:
KexAlgorithms +diffie-hellman-group14-sha256To see which ciphers can be added to the list on your system, issue the following command on a console
ssh -Q KexAlgorithmsSee detailed changelog:
https://www.openssh.com/txt/release-10.0
Share on Facebook
Share on X (Twitter)
Share on Reddit
Share on Linkedin
Share on Hacker NewsPlease also mark the comments that contributed to the solution of the article
Content-ID: 671397
Url: https://rootdb.com/info/openssh-server-v10-0-possible-cipher-incompatibilties-with-clients-or-libraries-671397.html
Printed on: April 25, 2025 at 19:04 o'clock
