Recently attempted to open an ssh session from my MacBook Pro with macOS Big Sur to a Cisco Catalyst WS-C2960CG-8TC compact switch running Cisco IOS 15.0 and received the following error message: “Unable to negotiate with <IP Address> port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes-256-cbc”.
Cisco IOS 15 secure shell (SSH) servers support the encryption algorithms (Advanced Encryption Standard Counter Mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard [3DES]) in the following order:
Unfortunately, these ciphers were deprecated in the OpenSSH 7.6p1 release and Big Sur is using OpenSSH_8.1p1. If you use the command: ssh -V you will see ssh version your MacBook is running.
One way around the issue is to force my Macbook to use one of the listed ciphers by using the following command:
ssh -c 3des-cbc admin@<IP Address>
But I really didn’t want to have to type that for every SSH session I made to this switch so I modified the ssh configuration on my Macbook to allow the supported ciphers using the following steps:
nano /etc/ssh/ssh_config- Scroll down to the Ciphers line and remove the REM #, then save the file.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
Now you can ssh without adding the cipher!
