Today I was configuring a new ASA in my lab environment. I had also fired up a brand new Ubuntu VM to be my SCP server. When I tried to copy files from Ubuntu to the ASA, it would give me the error “permission denied”. Of course, this sent me looking to see why my recently set password was denied.

At first, I did the normal things like resetting my password and verifying that I could SSH to the box from another host. When I found that the ASA was the only thing that couldn’t perform an SCP from the host, I was perplexed. My Linux skills kicked in and I looked at /var/log/auth.log to see what Ubuntu was seeing.

Nov 14 09:41:12 user-PC sshd[2242]: Unable to negotiate with 192.168.250.1 port 47601: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]

Bingo, the smoking gun has been found. I had forgotten that by default the ASA is configured with SSH using DH group 1. OpenSSH on Ubuntu requires a higher level of encryption now. The fix was to change the ASA to use DH group 14.

ciscoasa (config)# ssh key-exchange group dh-group14-sha1

Hopefully, this will help someone avoid wasting time like I did this morning on something silly. Oh and go ahead and add the ssh key-exchange command to your routine configuration while you’re at it.