How to Check CentOS 6 SSH Ciphers, Use Safe Compatibility Flags & Safely Upgrade OpenSSH

Posted on by Rico

Connecting from Ubuntu 22.04 / 24.04 to a legacy CentOS 6 server often results in errors such as:

  • no matching host key type found
  • no matching cipher found
  • Unable to negotiate with x.x.x.x: no matching key exchange method

Why?
👉 CentOS 6 uses OpenSSH 5.x — extremely outdated and incompatible with modern SSH security requirements.

This article explains:

🟦 1. How to Check Which Ciphers / Key Exchange / HostKey Types CentOS 6 Supports

Even if SSH won’t connect, you can detect supported algorithms.

✔️ Method 1: Use verbose SSH output (recommended)

ssh -vvv user@centos6-ip

Look for:

  • server->client cipher: …
  • offer: ssh-rsa,ssh-dss
  • Supported KEX algorithms: …

This reveals:

  • Host Keys: ssh-rsa, ssh-dss
  • Ciphers: aes128-cbc, aes256-cbc, 3des-cbc
  • KEX: diffie-hellman-group1-sha1

✔️ Method 2: Check the server SSHD config

cat /etc/ssh/sshd_config

Typical CentOS 6 entries:

Ciphers aes128-cbc,3des-cbc,aes256-cbc
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
KexAlgorithms diffie-hellman-group1-sha1

Everything here is deprecated by today’s standards.

✔️ Method 3: Query cipher compatibility manually

ssh -oCiphers=none user@centos6-ip

Output example:

Their offer: aes128-cbc,aes256-cbc,3des-cbc

🟦 2. Safe & Practical Compatibility Flags for Connecting from Ubuntu → CentOS 6

Try them in order.

✔️ Step 1: Enable legacy RSA

ssh \
  -oHostKeyAlgorithms=+ssh-rsa \
  -oPubkeyAcceptedAlgorithms=+ssh-rsa \
  user@ip

✔️ Step 2: Add old KEX (Group1)

ssh \
  -oHostKeyAlgorithms=+ssh-rsa \
  -oPubkeyAcceptedAlgorithms=+ssh-rsa \
  -oKexAlgorithms=+diffie-hellman-group1-sha1 \
  user@ip

✔️ Step 3: Add CBC cipher support

ssh \
  -oHostKeyAlgorithms=+ssh-rsa \
  -oPubkeyAcceptedAlgorithms=+ssh-rsa \
  -oKexAlgorithms=+diffie-hellman-group1-sha1 \
  -oCiphers=+aes128-cbc \
  user@ip

✔️ Step 4: As the last resort — DSA

ssh \
  -oHostKeyAlgorithms=+ssh-dss \
  -oPubkeyAcceptedAlgorithms=+ssh-dss \
  user@ip

⚠️ DSA (ssh-dss) is highly insecure — avoid if possible.

🟦 3. Safely Upgrading OpenSSH on CentOS 6 (Without Breaking the System)

CentOS 6 OpenSSH is too old and should be upgraded. Safest method:

✔️ Option A: Install a parallel OpenSSH (recommended)

  1. Install build tools:
yum groupinstall "Development Tools"
yum install pam-devel openssl-devel zlib-devel
  1. Download OpenSSH 9.x:
wget https://openbsd.../openssh-9.x.tar.gz
tar xf openssh-9.x.tar.gz
cd openssh-9.x
  1. Install to a separate directory:
./configure --prefix=/opt/openssh9 --sysconfdir=/opt/openssh9/etc
make
make install
  1. Configure SSHD on alternate port (ex: 2222):
Port 2222
UsePAM yes
PasswordAuthentication yes
  1. Start new SSHD:
/opt/openssh9/sbin/sshd

This allows:

  • Existing SSH (port 22) to remain untouched
  • New SSHD to run safely in parallel
  • No risk of locking yourself out

✔️ Option B: 3rd-party repos

Possible but depends on trust/security → not recommended.

✔️ Option C: Build an RPM package

Clean solution but requires more time.

🟦 Final Recommendations

  • CentOS 6 is EOL — insecure by default
  • Prefer upgrading the OS
  • If not possible, upgrade OpenSSH
  • For temporary access, use the safe compatibility flags above