The OpenSSH 8.8 is now in the stable channel of Arch Linux and could reach other distributions any time soon.
In the release 8.7, the OpenSSH team announced that the ssh-rsa signature scheme will be disabled by default in the next version: 8.8.
Why?
The ssh-rsa signature scheme uses SHA-1 and it's sensible to chosen-prefix attacks.
What should I do?
This should not be a problem unless you are connecting to a server using the weak ssh-rsa public key algorithm for host authentication.
💡 If you're using the version 8.7 or a previous one, you can test your remote hosts like a GitLab or a cloud server using:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
Enter fullscreen mode Exit fullscreen mode
If the connection fails, that means that the signature algorithm is not compatible with the default configuration of OpenSSH 8.8.
Enabling the weak signature
If you can't upgrade the signature algorithm on your remote servers but you still need to use them, you can use the following command:
ssh -oHostKeyAlgorithms=+ssh-rsa user@host
Enter fullscreen mode Exit fullscreen mode
Using the weak signature with Git
Right now, Bitbucket uses this weak signature algorithm, I guess you need to use your Git repositories
hosted there. 🥺 You can check your connection with the following command:
ssh -oHostKeyAlgorithms=+ssh-rsa
Enter fullscreen mode Exit fullscreen mode
How can we enable this flag for all the Git commands? An easy solution is coming... You can create an SSH configuration file with the following content:
Host bitbucket.org HostKeyAlgorithms +ssh-rsa IdentitiesOnly yes
Enter fullscreen mode Exit fullscreen mode
The default location of this file is under ~/.ssh/config, maybe you already have one. Once you add this configuration value you can use any git command without restrictions.
That's all
I hope this will help you to still SSHing the world 🗺️
I am trying to use the command:
ssh -i id_rsa root@<ip>This gave me the error as:
Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
Also after googling a bit, I tried:
ssh -oHostKeyAlgorithms=+ssh-dss -i id_rsa root@<ip>And, this command is prompting for a password when I am using id_rsa for authentication.
How should I use OpenSSH private key to authenticate in SSH?
I am using Kali linux, 16.0-kali6-amd64, (2022-03-23) x86_64 GNU/Linux
In the verbose output, it shows that no such directory for 'load_hostkeys'. Then DSA host key found
Get agent_identities: agent contain no identities, Will attempt some key (explicitly)
send_pubkey_test: no mutual signature algorithm
after that it goes to try for authentication with password, and gives a prompt
I am accustomed to using Putty on a Windows box or an OSX command line terminal to SSH into a NAS, without any configuration of the client.
Ubuntu 16.04 attempts to SSH into the NAS (via LAN):
ssh Unable to negotiate with 192.168.8.109 port 22: no matching host key type found. Their offer: ssh-dss- Is this result / response intentional?
- Is there a simple correction that enables SSH access to the NAS?
asked Oct 12, 2016 at 12:24
gatorbackgatorback
4,4836 gold badges31 silver badges57 bronze badges
5
The version of OpenSSH included in 16.04 disables ssh-dss. There's a neat page with legacy information that includes this issue: //www.openssh.com/legacy.html
In a nutshell, you should add the option -oHostKeyAlgorithms=+ssh-dss to the SSH command:
ssh -oHostKeyAlgorithms=+ssh-dssYou can also add a host pattern in your ~/.ssh/config so you don't have to specify the key algorithm every time:
Host nas HostName 192.168.8.109 HostKeyAlgorithms=+ssh-dssThis has the added benefit that you don't need to type out the IP address. Instead, ssh will recognize the host nas and know where to connect to. Of course you can use any other name in its stead.
answered Oct 12, 2016 at 13:12
Kalle ElmérKalle Elmér
6,4785 gold badges24 silver badges41 bronze badges
6
If you came here because Bitbucket returns the following after an update to OpenSSH 8.8:
Unable to negotiate with <ip address> port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dssyou should NOT enable DSS (like in the accepted answer), but rather RSA in ~/.ssh/config:
Host bitbucket.org HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsaReference: //community.atlassian.com/t5/Bitbucket-articles/OpenSSH-8-8-client-incompatibility-and-workaround/ba-p/1826047
Note that PubkeyAcceptedKeyTypes is a backwards compatible alias to PubkeyAcceptedAlgorithms which has been suggested in the article. If you use it, the same configuration can be used with older OpenSSH client versions, e.g. if you share the config with docker containers.
You can do the same for other hosts, or use Host * to allow RSA for any host.
answered Oct 11, 2021 at 8:25
5
If you want to use newer OpenSSH to connect to deprecated servers:
ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss my.host.comAdd -v if you want to see what's happening, and -o HostKeyAlgorithms=ssh-dss if it still doesn't work:
ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 my.host.comYou can also edit /etc/ssh/ssh_config or ~/.ssh/ssh_config and add:
Host my.host.com *.myinsecure.net 192.168.1.* 192.168.2.* HostKeyAlgorithms ssh-dss KexAlgorithms diffie-hellman-group1-sha1//forum.ctwug.za.net/t/fyi-openssh-to-access-rbs-openssh-7/6069 mentions the following fix on Mikrotik Routerboards:
/ip ssh set strong-crypto=yes(Noting this here because this answer also comes up on web searches when looking for a similar error message.)
7yl4r
2632 silver badges6 bronze badges
answered Feb 20, 2017 at 15:48
DagelfDagelf
9659 silver badges16 bronze badges
6
Editing the ~/.ssh/config file is the best option. If you have a number of hosts to connect to on the same subnet you can use the following method to avoid entering each host in the file:
Host 192.168.8.* HostKeyAlgorithms=+ssh-dssThis works great for me as I have a number of Brocade switches to manage and they started complaining about the Host key after I moved to Ubuntu 16.04.
answered Jul 6, 2017 at 10:59
truxpintruxpin
1611 silver badge5 bronze badges
0
This worked:
sudo nano /etc/ssh/ssh_configadd to new empty line:
HostKeyAlgorithms ssh-rsa,ssh-dss PubkeyAcceptedKeyTypes ssh-rsa,ssh-dssIt was NOT needed to reload/restart SSHd.
ssh -v also shows additional details if needed.
answered Oct 22, 2021 at 14:36
1685155616851556
3303 silver badges11 bronze badges
1
Running this one-liner on client worked to workaround the issue:
echo -e "Host *\nHostKeyAlgorithms +ssh-rsa\nPubkeyAcceptedKeyTypes +ssh-rsa\n"|sudo tee -a ~/.ssh/config
answered Apr 17 at 11:34
1685155616851556
3303 silver badges11 bronze badges
The 'their offer' list of algorithms are the ones that the server will accept so the client needs to offer matching ones. As mentioned one way to fix this is add the missing algorithms to your .ssh/config file. If it still doesn't work it is worth checking which algorithms your version of ssh has to offer:
ssh -Q keyIf you do not see the missing algorithm listed from this command then you will need update your ssh version.
But if you do see the missing algorithm there then it's possible that either the system /etc/ssh/ssh_config file and/or /Users/USERNAME/.ssh/config contains a HostkeyAlgorithms line that limits the number of algorithms. This can happen if the algorithms are listed without + prefix which will then lead to ssh only offering those on that list e.g. (HostkeyAlgorithms ssh-dsa) so this can be fixed by just commenting that line, or explicitly adding the specific missing algorithms. The + prefix will add one or more algorithms to the list.
answered Sep 26 at 21:51
PierzPierz
2,7051 gold badge20 silver badges14 bronze badges