Connecting from Ubuntu 22.04 / 24.04 to a legacy CentOS 6 server often results in errors such as:
no matching host key type foundno matching cipher foundUnable to negotiate with x.x.x.x: no matching key exchange method
Why?
๐ CentOS 6 uses OpenSSH 5.x โ extremely outdated and incompatible with modern SSH security requirements.
This article explains:
๐ฆ 1. How to Check Which Ciphers / Key Exchange / HostKey Types CentOS 6 Supports
Even if SSH wonโt connect, you can detect supported algorithms.
โ๏ธ Method 1: Use verbose SSH output (recommended)
ssh -vvv user@centos6-ip
Look for:
server->client cipher: โฆoffer: ssh-rsa,ssh-dssSupported KEX algorithms: โฆ
This reveals:
- Host Keys:
ssh-rsa,ssh-dss - Ciphers:
aes128-cbc,aes256-cbc,3des-cbc - KEX:
diffie-hellman-group1-sha1
โ๏ธ Method 2: Check the server SSHD config
cat /etc/ssh/sshd_config
Typical CentOS 6 entries:
Ciphers aes128-cbc,3des-cbc,aes256-cbc
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
KexAlgorithms diffie-hellman-group1-sha1
Everything here is deprecated by todayโs standards.
โ๏ธ Method 3: Query cipher compatibility manually
ssh -oCiphers=none user@centos6-ip
Output example:
Their offer: aes128-cbc,aes256-cbc,3des-cbc
๐ฆ 2. Safe & Practical Compatibility Flags for Connecting from Ubuntu โ CentOS 6
Try them in order.
โ๏ธ Step 1: Enable legacy RSA
ssh \
-oHostKeyAlgorithms=+ssh-rsa \
-oPubkeyAcceptedAlgorithms=+ssh-rsa \
user@ip
โ๏ธ Step 2: Add old KEX (Group1)
ssh \
-oHostKeyAlgorithms=+ssh-rsa \
-oPubkeyAcceptedAlgorithms=+ssh-rsa \
-oKexAlgorithms=+diffie-hellman-group1-sha1 \
user@ip
โ๏ธ Step 3: Add CBC cipher support
ssh \
-oHostKeyAlgorithms=+ssh-rsa \
-oPubkeyAcceptedAlgorithms=+ssh-rsa \
-oKexAlgorithms=+diffie-hellman-group1-sha1 \
-oCiphers=+aes128-cbc \
user@ip
โ๏ธ Step 4: As the last resort โ DSA
ssh \
-oHostKeyAlgorithms=+ssh-dss \
-oPubkeyAcceptedAlgorithms=+ssh-dss \
user@ip
โ ๏ธ DSA (ssh-dss) is highly insecure โ avoid if possible.
๐ฆ 3. Safely Upgrading OpenSSH on CentOS 6 (Without Breaking the System)
CentOS 6 OpenSSH is too old and should be upgraded. Safest method:
โ๏ธ Option A: Install a parallel OpenSSH (recommended)
- Install build tools:
yum groupinstall "Development Tools"
yum install pam-devel openssl-devel zlib-devel
- Download OpenSSH 9.x:
wget https://openbsd.../openssh-9.x.tar.gz
tar xf openssh-9.x.tar.gz
cd openssh-9.x
- Install to a separate directory:
./configure --prefix=/opt/openssh9 --sysconfdir=/opt/openssh9/etc
make
make install
- Configure SSHD on alternate port (ex: 2222):
Port 2222
UsePAM yes
PasswordAuthentication yes
- Start new SSHD:
/opt/openssh9/sbin/sshd
This allows:
- Existing SSH (port 22) to remain untouched
- New SSHD to run safely in parallel
- No risk of locking yourself out
โ๏ธ Option B: 3rd-party repos
Possible but depends on trust/security โ not recommended.
โ๏ธ Option C: Build an RPM package
Clean solution but requires more time.
๐ฆ Final Recommendations
- CentOS 6 is EOL โ insecure by default
- Prefer upgrading the OS
- If not possible, upgrade OpenSSH
- For temporary access, use the safe compatibility flags above