Technical Tip: FortiPAM shown no matching SSH key versions

Description

This article describes error messages when launching Putty to targeted devices/hosts:

Unable to negotiate with 10.10.10.10: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Unable to negotiate with 10.10.10.11: no matching host key type found. Their offer: ssh-dss

Scope

FortiPAM v1.7/v1.8

Solution

1. By default, the Strong-crypto is enabled in the config system global:

(global) # show full | grep ssh

set ssh-enc-algo aes256-ctr aes256-gcm@openssh.com

set ssh-kex-algo diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

set ssh-mac-algo hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com

(global) # set ssh-mac-algo

hmac-sha2-256 hmac-sha2-256

hmac-sha2-256-etm@openssh.com hmac-sha2-256-etm@openssh.com

hmac-sha2-512 hmac-sha2-512

hmac-sha2-512-etm@openssh.com hmac-sha2-512-etm@openssh.com

(global) # set ssh-kex-algo

diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha256

curve25519-sha256@libssh.org curve25519-sha256@libssh.org

ecdh-sha2-nistp256 ecdh-sha2-nistp256

ecdh-sha2-nistp384 ecdh-sha2-nistp384

ecdh-sha2-nistp521 ecdh-sha2-nistp521

(global) # set ssh-enc-algo

aes256-ctr aes256-ctr

aes256-gcm@openssh.com aes256-gcm@openssh.com

2. Strong-crypto disabled:

(global) # set ssh-mac-algo

hmac-md5 hmac-md5

hmac-md5-etm@openssh.com hmac-md5-etm@openssh.com

hmac-md5-96 hmac-md5-96

hmac-md5-96-etm@openssh.com hmac-md5-96-etm@openssh.com

hmac-sha1 hmac-sha1

hmac-sha1-etm@openssh.com hmac-sha1-etm@openssh.com

hmac-sha2-256 hmac-sha2-256

hmac-sha2-256-etm@openssh.com hmac-sha2-256-etm@openssh.com

hmac-sha2-512 hmac-sha2-512

hmac-sha2-512-etm@openssh.com hmac-sha2-512-etm@openssh.com

hmac-ripemd160 hmac-ripemd160

hmac-ripemd160@openssh.com hmac-ripemd160@openssh.com

hmac-ripemd160-etm@openssh.com hmac-ripemd160-etm@openssh.com

umac-64@openssh.com umac-64@openssh.com

umac-128@openssh.com umac-128@openssh.com

umac-64-etm@openssh.com umac-64-etm@openssh.com

umac-128-etm@openssh.com umac-128-etm@openssh.com

(global) # set ssh-kex-algo

diffie-hellman-group14-sha1 diffie-hellman-group14-sha1

diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha256

curve25519-sha256@libssh.org curve25519-sha256@libssh.org

ecdh-sha2-nistp256 ecdh-sha2-nistp256

ecdh-sha2-nistp384 ecdh-sha2-nistp384

ecdh-sha2-nistp521 ecdh-sha2-nistp521

(global) # set ssh-enc-algo

chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com

aes128-ctr aes128-ctr

aes192-ctr aes192-ctr

aes256-ctr aes256-ctr

arcfour256 arcfour256

arcfour128 arcfour128

aes128-cbc aes128-cbc

3des-cbc 3des-cbc

blowfish-cbc blowfish-cbc

cast128-cbc cast128-cbc

aes192-cbc aes192-cbc

aes256-cbc aes256-cbc

arcfour arcfour

rijndael-cbc@lysator.liu.se rijndael-cbc@lysator.liu.se

aes128-gcm@openssh.com aes128-gcm@openssh.com

aes256-gcm@openssh.com aes256-gcm@openssh.com

Solution: Make sure a proper SSH key exchange or algorithm methods selected on the targeted devices/hosts.