View Single Post
  #1  
Old 10-02-2018, 12:48 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,520
Question FAQ: What causes the "No compatible key-exchange method" error in SecureCRT?

If you are getting some form of the below error:
Key exchange failed.
No compatible key-exchange method.
The server supports these methods: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14


You can turn on Trace Options output (File menu) and find this info:
Code:
[LOCAL] : Available Remote Kex Methods = curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 
[LOCAL] : Selected Kex Method = ecdh-sha2-nistp521


KEX or Key Exchange methods: In SecureCRT, configurable in the Connection / SSH2 category of Session Options.
As of version 8.7.3, the current Key Exchange algorithms supported are (with version when support was first added):
diffie-hellman-group18-sha512 (v8.7.x)
diffie-hellman-group16-sha512 (v8.7.x)
diffie-hellman-group14-sha256 (v8.7.x)
curve25519-sha256 (v8.5.x)*
ecdh-sha2-nistp521 (v7.3.x)
ecdh-sha2-nistp384 (v7.3.x)
ecdh-sha2-nistp256 (v7.3.x)
diffie-hellman-group-exchange-sha256 (v7.3.x)
diffie-hellman-group14 (v5.0.x)
diffie-hellman-group (v3.0.x)
Kerberos (v3.0.x)*
Kerberos (Group Exchange) (v3.0.x)*
*Not available when client is running in FIPS mode


Note that while diffie-hellman is still available, it was disabled as of v8.0 due to well-documented flaws in the algorithm associated with news surrounding the Logjam vulnerability. Many other SSH servers and clients have turned off default support for the diffie-hellman key exchange algorithm.

Changes in SecureCRT 8.0 (Beta 1) -- January 28, 2016 (8.0.0.1011)
-----------------------------------------------------------------------------------
Changes:
  • SSH2: The "diffie-hellman" key exchange algorithm is off for the default session. This change only affects new installations.


You can employ the power of editing the Default session to enable any new key-exchange algorithms in all of your existing and future sessions. Here are some links to a tip and a video that provide more details about using the Default session to make mass changes to multiple sessions:
https://www.vandyke.com/support/tips/defaultset.html
https://www.youtube.com/watch?v=5RbuZn9L48g
Note: In order for a "change" to be applied to all other sessions, the Default session's option/field you're targeting must actually be modified/different from its current value.
Attached Images
File Type: png line.png (522 Bytes, 35924 views)
File Type: png key_ex_error_in_SCRT.png (29.0 KB, 16245 views)
File Type: png SCRT873_altered_key_ex_category.png (47.5 KB, 5363 views)
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730

Last edited by bgagnon; 10-29-2020 at 09:09 AM. Reason: Update regarding three new methods in 8.7