No matching host key type found their offer: ssh-rsa Bitbucket

Question

Table of Contents Show

What should I do?
Enabling the weak signature
Using the weak signature with Git
That's all

The OpenSSH 8.8 is now in the stable channel of Arch Linux and could reach other distributions any time soon.

In the release 8.7, the OpenSSH team announced that the ssh-rsa signature scheme will be disabled by default in the next version: 8.8.

Why?

The ssh-rsa signature scheme uses SHA-1 and it's sensible to chosen-prefix attacks.

What should I do?

This should not be a problem unless you are connecting to a server using the weak ssh-rsa public key algorithm for host authentication.

💡 If you're using the version 8.7 or a previous one, you can test your remote hosts like a GitLab or a cloud server using:

ssh -oHostKeyAlgorithms=-ssh-rsa user@host

Enter fullscreen mode Exit fullscreen mode

If the connection fails, that means that the signature algorithm is not compatible with the default configuration of OpenSSH 8.8.

Enabling the weak signature

If you can't upgrade the signature algorithm on your remote servers but you still need to use them, you can use the following command:

ssh -oHostKeyAlgorithms=+ssh-rsa user@host

Enter fullscreen mode Exit fullscreen mode

Using the weak signature with Git

Right now, Bitbucket uses this weak signature algorithm, I guess you need to use your Git repositories hosted there. 🥺 You can check your connection with the following command:

ssh -oHostKeyAlgorithms=+ssh-rsa

Enter fullscreen mode Exit fullscreen mode

How can we enable this flag for all the Git commands? An easy solution is coming... You can create an SSH configuration file with the following content:

Host bitbucket.org
     HostKeyAlgorithms +ssh-rsa
     IdentitiesOnly yes

Enter fullscreen mode Exit fullscreen mode

The default location of this file is under ~/.ssh/config, maybe you already have one. Once you add this configuration value you can use any git command without restrictions.

That's all

I hope this will help you to still SSHing the world 🗺️

I am trying to use the command:

ssh -i id_rsa root@<ip>

This gave me the error as:

Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

Also after googling a bit, I tried:

ssh -oHostKeyAlgorithms=+ssh-dss -i id_rsa root@<ip>

And, this command is prompting for a password when I am using id_rsa for authentication.

How should I use OpenSSH private key to authenticate in SSH?

I am using Kali linux, 16.0-kali6-amd64, (2022-03-23) x86_64 GNU/Linux

In the verbose output, it shows that no such directory for 'load_hostkeys'. Then DSA host key found

Get agent_identities: agent contain no identities, Will attempt some key (explicitly)

send_pubkey_test: no mutual signature algorithm

after that it goes to try for authentication with password, and gives a prompt

I am accustomed to using Putty on a Windows box or an OSX command line terminal to SSH into a NAS, without any configuration of the client.

Ubuntu 16.04 attempts to SSH into the NAS (via LAN):

ssh 

Unable to negotiate with 192.168.8.109 port 22: no matching host key type found. Their offer: ssh-dss

Is this result / response intentional?
Is there a simple correction that enables SSH access to the NAS?

asked Oct 12, 2016 at 12:24

gatorbackgatorback

4,4836 gold badges31 silver badges57 bronze badges

5

The version of OpenSSH included in 16.04 disables ssh-dss. There's a neat page with legacy information that includes this issue: http://www.openssh.com/legacy.html

In a nutshell, you should add the option -oHostKeyAlgorithms=+ssh-dss to the SSH command:

ssh -oHostKeyAlgorithms=+ssh-dss

You can also add a host pattern in your ~/.ssh/config so you don't have to specify the key algorithm every time:

Host nas
  HostName 192.168.8.109
  HostKeyAlgorithms=+ssh-dss

This has the added benefit that you don't need to type out the IP address. Instead, ssh will recognize the host nas and know where to connect to. Of course you can use any other name in its stead.

answered Oct 12, 2016 at 13:12

Kalle ElmérKalle Elmér

6,4785 gold badges24 silver badges41 bronze badges

6

If you came here because Bitbucket returns the following after an update to OpenSSH 8.8:

Unable to negotiate with <ip address> port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

you should NOT enable DSS (like in the accepted answer), but rather RSA in ~/.ssh/config:

Host bitbucket.org
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedKeyTypes +ssh-rsa

Reference: https://community.atlassian.com/t5/Bitbucket-articles/OpenSSH-8-8-client-incompatibility-and-workaround/ba-p/1826047

Note that PubkeyAcceptedKeyTypes is a backwards compatible alias to PubkeyAcceptedAlgorithms which has been suggested in the article. If you use it, the same configuration can be used with older OpenSSH client versions, e.g. if you share the config with docker containers.

You can do the same for other hosts, or use Host * to allow RSA for any host.

answered Oct 11, 2021 at 8:25

5

If you want to use newer OpenSSH to connect to deprecated servers:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss my.host.com

Add -v if you want to see what's happening, and -o HostKeyAlgorithms=ssh-dss if it still doesn't work:

ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 my.host.com

You can also edit /etc/ssh/ssh_config or ~/.ssh/ssh_config and add:

Host my.host.com *.myinsecure.net 192.168.1.* 192.168.2.*
    HostKeyAlgorithms ssh-dss
    KexAlgorithms diffie-hellman-group1-sha1

https://forum.ctwug.za.net/t/fyi-openssh-to-access-rbs-openssh-7/6069 mentions the following fix on Mikrotik Routerboards:

/ip ssh set strong-crypto=yes

(Noting this here because this answer also comes up on web searches when looking for a similar error message.)

7yl4r

2632 silver badges6 bronze badges

answered Feb 20, 2017 at 15:48

DagelfDagelf

9659 silver badges16 bronze badges

6

Editing the ~/.ssh/config file is the best option. If you have a number of hosts to connect to on the same subnet you can use the following method to avoid entering each host in the file:

 Host 192.168.8.*
  HostKeyAlgorithms=+ssh-dss

This works great for me as I have a number of Brocade switches to manage and they started complaining about the Host key after I moved to Ubuntu 16.04.

answered Jul 6, 2017 at 10:59

truxpintruxpin

1611 silver badge5 bronze badges

0

This worked:

sudo nano /etc/ssh/ssh_config

add to new empty line:

HostKeyAlgorithms ssh-rsa,ssh-dss
PubkeyAcceptedKeyTypes ssh-rsa,ssh-dss

It was NOT needed to reload/restart SSHd.

ssh -v also shows additional details if needed.

answered Oct 22, 2021 at 14:36

1685155616851556

3303 silver badges11 bronze badges

1

Running this one-liner on client worked to workaround the issue:

echo -e "Host *\nHostKeyAlgorithms +ssh-rsa\nPubkeyAcceptedKeyTypes +ssh-rsa\n"|sudo tee -a ~/.ssh/config

answered Apr 17 at 11:34

1685155616851556

3303 silver badges11 bronze badges

The 'their offer' list of algorithms are the ones that the server will accept so the client needs to offer matching ones. As mentioned one way to fix this is add the missing algorithms to your .ssh/config file. If it still doesn't work it is worth checking which algorithms your version of ssh has to offer:

ssh -Q key

If you do not see the missing algorithm listed from this command then you will need update your ssh version.

But if you do see the missing algorithm there then it's possible that either the system /etc/ssh/ssh_config file and/or /Users/USERNAME/.ssh/config contains a HostkeyAlgorithms line that limits the number of algorithms. This can happen if the algorithms are listed without + prefix which will then lead to ssh only offering those on that list e.g. (HostkeyAlgorithms ssh-dsa) so this can be fixed by just commenting that line, or explicitly adding the specific missing algorithms. The + prefix will add one or more algorithms to the list.

answered Sep 26 at 21:51

PierzPierz

2,7051 gold badge20 silver badges14 bronze badges

matching host key type found offer ssh-rsa bitbucket