When running OpenSSH in debug mode (-d flag), you might encounter this critical error sequence:
debug1: list_hostkey_types:
No supported key exchange algorithms
debug1: do_cleanup
This immediately terminates the SSH connection attempt, with the client receiving a terse "Connection closed" message.
The error occurs when:
- Client and server complete version negotiation
- During algorithm negotiation phase, no common key exchange method is found
- This typically happens with mismatched Protocol settings or missing host keys
First, check your sshd_config for proper protocol and algorithm settings:
# Minimum viable configuration to test key exchange
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256,ecdh-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com
For older systems (like OpenSSH 5.x shown in the logs), try these backward-compatible settings:
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1
To systematically diagnose:
# On server:
sshd -T | grep -E 'kex|cipher|mac' > sshd_config_check.txt
# On client:
ssh -Q kex > supported_kex.txt
ssh -vvv user@host 2>&1 | grep -i kex > connection_attempt.txt
For current OpenSSH versions (8.0+), these are the preferred settings:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512
When dealing with very old SSH implementations (like the OpenSSH 5.2 in the example):
- Ensure all host key types exist:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key - Explicitly enable protocol 1 compatibility if needed:
Protocol 2,1 RSAAuthentication yes
When encountering the "No supported key exchange algorithms" error in OpenSSH (specifically OpenSSH_5.2 in this case), it typically indicates a fundamental mismatch between the client and server's cryptographic capabilities. Let's examine the key components from the debug output:
debug1: list_hostkey_types:
No supported key exchange algorithms
debug1: do_cleanupThe error occurs during the initial SSH handshake phase when the client (OpenSSH_5.5) and server (OpenSSH_5.2) attempt to negotiate a mutually supported key exchange method. Modern OpenSSH versions have deprecated several older algorithms for security reasons.
The provided sshd_config shows some potential issues:
Protocol 1,2
HostKey ./ssh_host_key
HostKey ./ssh_host_rsa_key
HostKey ./ssh_host_dsa_keyThis configuration is using legacy protocol settings. Let's examine a more secure modern configuration:
# Recommended modern configuration
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.comHere's how to resolve this issue in different scenarios:
For Modern Systems (OpenSSH 8.0+)
# /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.comFor Legacy Systems (Backward Compatibility)
# /etc/ssh/sshd_config
KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha2-256,hmac-sha1When troubleshooting, use these commands to test your configuration:
# Check supported algorithms
ssh -Q kex
ssh -Q cipher
ssh -Q mac
# Test connection with specific algorithms
ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha256 \
-oCiphers=aes128-ctr \
-oMACs=hmac-sha2-256 \
user@hostThe original error shows OpenSSH_5.2 (2008 era) connecting to OpenSSH_5.5 (2010). These versions have significant algorithm differences:
- OpenSSH 5.2: Uses diffie-hellman-group1-sha1 (now considered weak)
- OpenSSH 5.5: Expects more modern algorithms by default
For such legacy systems, consider either upgrading or explicitly configuring compatible algorithms:
# For OpenSSH 5.2 compatibility
KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
HostKeyAlgorithms ssh-rsa,ssh-dss
Ciphers aes128-cbc,3des-cbc