SSH returns: no matching host key type found. Their offer: ssh-dss
I am accustomed to using Putty on a Windows box or an OSX command line terminal to SSH into a NAS, without any configuration of the client.
Ubuntu 16.04 attempts to SSH into the NAS (via LAN):
ssh root@192.168.8.109
Unable to negotiate with 192.168.8.109 port 22: no matching host key type found. Their offer: ssh-dss- Is this result / response intentional?
- Is there a simple correction that enables SSH access to the NAS?
7 Answers
The version of OpenSSH included in 16.04 disables ssh-dss. There's a neat page with legacy information that includes this issue:
In a nutshell, you should add the option -oHostKeyAlgorithms=+ssh-dss to the SSH command:
ssh -oHostKeyAlgorithms=+ssh-dss root@192.168.8.109You can also add a host pattern in your ~/.ssh/config so you don't have to specify the key algorithm every time:
Host nas HostName 192.168.8.109 HostKeyAlgorithms=+ssh-dssThis has the added benefit that you don't need to type out the IP address. Instead, ssh will recognize the host nas and know where to connect to. Of course you can use any other name in its stead.
If you came here because Bitbucket returns the following after an update to OpenSSH 8.8:
Unable to negotiate with <ip address> port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dssyou should NOT enable DSS (like in the accepted answer), but rather RSA in ~/.ssh/config:
Host bitbucket.org HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsaReference:
Note that PubkeyAcceptedKeyTypes is a backwards compatible alias to PubkeyAcceptedAlgorithms which has been suggested in the article. If you use it, the same configuration can be used with older OpenSSH client versions, e.g. if you share the config with docker containers.
You can do the same for other hosts, or use Host * to allow RSA for any host.
Editing the ~/.ssh/config file is the best option. If you have a number of hosts to connect to on the same subnet you can use the following method to avoid entering each host in the file:
Host 192.168.8.* HostKeyAlgorithms=+ssh-dssThis works great for me as I have a number of Brocade switches to manage and they started complaining about the Host key after I moved to Ubuntu 16.04.
0If you want to use newer OpenSSH to connect to deprecated servers:
ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss my.host.comAdd -v if you want to see what's happening, and -o HostKeyAlgorithms=ssh-dss if it still doesn't work:
ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 my.host.comYou can also, of course, edit /etc/ssh/ssh_config or ~/.ssh/ssh_config, and add:
Host my.host.com *.myinsecure.net 192.168.1.* 192.168.2.* HostKeyAlgorithms ssh-dss KexAlgorithms diffie-hellman-group1-sha1 mentions the following fix on Mikrotik Routerboards:
/ip ssh set strong-crypto=yes(Nothing this here because this answer also comes up on web searches when looking for a similar error message.)
6For me this added into .ssh\config worked:
Host *
HostkeyAlgorithms +ssh-dss
PubkeyAcceptedKeyTypes +ssh-dssThis worked:
sudo nano /etc/ssh/ssh_configadd to new empty line:
HostKeyAlgorithms ssh-rsa,ssh-dss
PubkeyAcceptedKeyTypes ssh-rsa,ssh-dssIt was NOT needed to reload/restart SSHd.
ssh -v also shows additional details if needed.
Running this one-liner on client worked to workaround the issue:
echo -e "Host *\nHostKeyAlgorithms +ssh-rsa\nPubkeyAcceptedKeyTypes +ssh-rsa\n"|sudo tee -a ~/.ssh/config
