hoaxe

Q: SSH - no matching host key type found

Hi all!

 

I'm for the moment a somewhat happy camper after installing MacOS Sierra. After a few hours, after the update, i was up for some ssh sessions to some of my servers and routers. Hmm, i can't connect to the boxes. What's up?

 

The first server responded with:

Unable to negotiate with <IPADDR> port 22: no matching host key type found. Their offer: ssh-dss

 

This issue was solved through a search on Google. The solution was (not to update the server, which i must do soon) to delete the remark pound "#" before the row that starts with "MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160" and add the row "HostkeyAlgorithms ssh-dss" last in the /etc/ssh/ssh_config file. Next i created a separat part for each server, that needs some legacy support

"Host <SRV>

        KexAlgorithms diffie-hellman-group1-sha1"

 

The second server responded with:

Unable to negotiate with <IPADDR> port 22: no matching host key type found. Their offer: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-ed25519

 

This issue is also solved. This solution wasn't found on Google. I just thought this would work. I just added the algorithms "ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-ed25519" after the "HostkeyAlgorithms ssh-dss" (be sure to add a ",").

 

Question 1

Anyway...is there any security issues or other concerns that i should know with this lack of support, or is is just okey to add this in /etc/ssh/ssh_config file ?

Question 2

Which of this algos should not or should be used?

"HostkeyAlgorithms ssh-dss,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-ed25519"

Question 3

What is the best practice and recommended configuration for the /etc/ssh/ssh_config file?

 

All the best!

/J

MacBook Pro with Retina display, macOS Sierra (10.12), null

Posted on Sep 27, 2016 10:47 AM

Close

Q: SSH - no matching host key type found

  • All replies
  • Helpful answers

  • by hoaxe,

    hoaxe hoaxe Sep 27, 2016 10:43 PM in response to hoaxe
    Level 1 (4 points)
    Mac OS X
    Sep 27, 2016 10:43 PM in response to hoaxe

    Now, this seems to be one of the things i missed

    - The problem is that DSA keys are obsolete after OpenSSH 7.0, which the new system seems to use.

    - If you're going to add dsa keys back in, then you could just use telnet..