The core issue stems from Debian Jessie's default SSH configuration using stronger encryption parameters than Wheezy. The error message SSHException: Incompatible ssh peer (no acceptable kex algorithm) indicates a protocol incompatibility between MySQL Workbench's Paramiko library and Debian Jessie's OpenSSH server.
Comparing the sshd_config files reveals critical changes:
# Debian Wheezy
ServerKeyBits 768
# Debian Jessie
ServerKeyBits 1024
HostKey /etc/ssh/ssh_host_ed25519_key # New in JessieJessie also enables more modern crypto algorithms by default. MySQL Workbench 6.3.3 uses Paramiko 1.15.x which doesn't support the newer algorithms Jessie prefers.
Option 1: Modify SSH Server Configuration
Edit /etc/ssh/sshd_config on your Debian Jessie server:
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-sha1,hmac-md5Then restart SSH: service ssh restart
Option 2: Upgrade MySQL Workbench
Newer versions (6.3.6+) include Paramiko 2.0+ with better algorithm support:
# Check current Paramiko version in Workbench
import paramiko
print(paramiko.__version__)Option 3: Create the Missing SSH Directory
The error suggests a missing known_hosts file location. Create the directory structure:
mkdir -p "C:\Users\myUser\AppData\Roaming\MySQL\Workbench\ssh"
touch "C:\Users\myUser\AppData\Roaming\MySQL\Workbench\ssh\known_hosts"After applying any solution, test the connection with:
ssh -vvv root@x.x.x.xCheck for successful key exchange in the verbose output.
For environments where SSH config can't be modified, consider:
# Local port forwarding alternative
ssh -L 3307:127.0.0.1:3306 root@x.x.x.xThen connect Workbench to 127.0.0.1:3307 using standard TCP/IP.
For production systems, always balance security with compatibility by carefully selecting algorithms rather than completely downgrading security settings.
When attempting to establish a TCP/IP over SSH connection from MySQL Workbench (versions 6.3.3 and 6.0.9) to a Debian Jessie server, users encounter the following error:
Could not connect the SSH Tunnel
Authentication error, unhandled exception caught in tunnel manager
SSHException: Incompatible ssh peer (no acceptable kex algorithm)
The primary issue stems from cryptographic protocol differences between Debian's SSH implementations. Debian Jessie ships with OpenSSH that enforces stronger security defaults:
# Key differences between Wheezy and Jessie SSH configs
Wheezy: ServerKeyBits 768
Jessie: ServerKeyBits 1024
# Additional in Jessie:
HostKey /etc/ssh/ssh_host_ed25519_key
1. Modify SSH Server Configuration
Edit /etc/ssh/sshd_config on your Debian Jessie server:
# Add these lines to support legacy clients
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512
# Then restart SSH service
service ssh restart
2. MySQL Workbench Configuration
Create the missing SSH directory structure:
mkdir -p "%APPDATA%\MySQL\Workbench\ssh"
type NUL > "%APPDATA%\MySQL\Workbench\ssh\known_hosts"
Option A: Upgrade MySQL Workbench
Later versions (6.3.6+) include updated Paramiko libraries that support modern key exchange algorithms.
Option B: Port Forwarding Manual Setup
If the issue persists, establish SSH tunnel manually:
ssh -L 3306:localhost:3306 user@your_debian_jessie_server
Then configure MySQL Workbench to connect to 127.0.0.1:3306 without SSH tunneling.
While these solutions work, consider strengthening security after establishing connectivity:
- Migrate to key-based authentication
- Set up a dedicated MySQL user with restricted privileges
- Configure firewall rules to limit access
# Example firewall rule for MySQL
iptables -A INPUT -p tcp --dport 3306 -s your.workstation.ip -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
After applying fixes, verify SSH connectivity with verbose output:
ssh -vvv root@your_server_ip
Check for successful key exchange in the output. The connection should now establish without the "no acceptable kex algorithm" error.