Server does not support diffie-hellman-group1-sha1 for keyexchange

July 26, 2016 14.2k views

I have created an Ubuntu droplet (via Laravel Forge if that matters) and am trying to remote connect to MySql using Navicat. I have installes by SSH key and am able to connect via SSH. I am also able to log into MySql on the server once I am logged in.

However when I try to remote-connect to MySql using SSH tunnel, the response I get from Navicat is

80070007: SSH Tunnel: Server does not support diffie-hellman-group1-sha1 for 

Is there anything I am missing?

2 Answers
JNZ July 26, 2016
Accepted Answer

Ok, here is the solution:

  1. Enable the correct Kex:
sudo nano /etc/ssh/sshd_config

append with these lines to ensure correct digest:

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

Regenerate all keys:

ssh-keygen -A

Credit goes here

and then restart ssh service:

sudo service ssh restart

After these steps you would need to update your local known_hosts file, as the SSH key has changed.
Say, your Digital Ocean droplet IP is

Locate it in ~.ssh/known_hosts and remove the line that begins with this

In a new shell window test you can connect to your instance!

Next time you log in you will be asked to add the host to known hosts again.

Hey, thank you for posting this. It saved me a ton of time.

Have another answer? Share your knowledge.