ssh Unable to negotiate: "no matching cipher found", is rejecting cbc

The -cbc algorithms have turned out to be vulnerable to an attack. As a result, up-to-date versions of OpenSSH will now reject those algorithms by default: for now, they are still available if you need them, but as you discovered, you must explicitly enable them.

Initially when the vulnerability was discovered (in late 2008, nearly 10 years ago!) those algorithms were only placed at the tail end of the priority list for the sake of compatibility, but now their deprecation in SSH has reached a phase where those algorithms are disabled by default. According to this question in Cryptography.SE, this deprecation step was already happening in year 2014.

Please consider this a gentle reminder to update your SSH server, if at all possible. (If it's a firmware-based implementation, see if updated firmware is available for your hardware.)


create a file inside ~/.ssh/config and paste below content

Host *
  SendEnv LANG LC_*
  Ciphers +aes256-cbc

You can update your ssh configuration from the file located at: /etc/ssh/ssh_config

  1. Launch a terminal.
  2. Paste the line into the terminal: sudo nano /etc/ssh/ssh_config
  3. Enter your password. Press Enter. SSH config file will be displayed.
  4. Un-comment the line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
  5. Press Ctrl + X. Press Enter to save and exit.