I have created an Ubuntu droplet (via Laravel Forge if that matters) and am trying to remote connect to MySql using Navicat. I have installes by SSH key and am able to connect via SSH. I am also able to log into MySql on the server once I am logged in.

However when I try to remote-connect to MySql using SSH tunnel, the response I get from Navicat is

80070007: SSH Tunnel: Server does not support diffie-hellman-group1-sha1 for 

Is there anything I am missing?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

3 answers

Ok, here is the solution:

  1. Enable the correct Kex:
sudo nano /etc/ssh/sshd_config

append with these lines to ensure correct digest:

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

Regenerate all keys:

ssh-keygen -A

Credit goes here

and then restart ssh service:

sudo service ssh restart

After these steps you would need to update your local known_hosts file, as the SSH key has changed.
Say, your Digital Ocean droplet IP is

Locate it in ~.ssh/known_hosts and remove the line that begins with this

In a new shell window test you can connect to your instance!

Next time you log in you will be asked to add the host to known hosts again.

  • Hello, This fix doesn’t work anymore. Any new fix?

  • Hi there,

    For anyone who comes across this question in 2020, I think that you’d does not work because of the 3des-cbc and blowfish-cbc ciphers.

    You can try with the following settings instead:

    KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc


Hey, thank you for posting this. It saved me a ton of time.


ssh-keygen -A command gives below error..
ssh-keygen: illegal option – A
usage: ssh-keygen [options]
-a trials Number of trials for screening DH-GEX moduli.
-B Show bubblebabble digest of key file.
-b bits Number of bits in the key to create.
-C comment Provide new comment.
-c Change comment in private and public key files.
-D pkcs11 Download public key from pkcs11 token.
-e Convert OpenSSH to RFC 4716 key file.
-F hostname Find hostname in known hosts file.
-f filename Filename of the key file.
-G file Generate candidates for DH-GEX moduli.
-g Use generic DNS resource record format.
-H Hash names in knownhosts file.
-h Generate host certificate instead of a user certificate.
-I key
id Key identifier to include in certificate.
-i Convert RFC 4716 to OpenSSH key file.
-L Print the contents of a certificate.
-l Show fingerprint of key file.
-M memory Amount of memory (MB) to use for generating DH-GEX moduli.
-N phrase Provide new passphrase.
-O option Specify a certificate option.
-P phrase Provide old passphrase.
-p Change passphrase of private key file.
-q Quiet.
-R hostname Remove host from knownhosts file.
-r hostname Print DNS resource record.
-S start Start point (hex) for generating DH-GEX moduli.
-s ca
key Certify keys with CA key.
-T file Screen candidates for DH-GEX moduli.
-t type Specify type of key to create.
-V from:to Specify certificate validity interval.
-v Verbose.
-W gen Generator to use for generating DH-GEX moduli.
-y Read private key file and print public key.
-Z name,… User/host principal names to include in certificate
-z serial Specify a serial number.

S K Gupta

Submit an Answer