SSH returns: no matching host key type found. Their offer: ssh-dss

The version of OpenSSH included in 16.04 disables ssh-dss. There's a neat page with legacy information that includes this issue: http://www.openssh.com/legacy.html

In a nutshell, you should add the option -oHostKeyAlgorithms=+ssh-dss to the SSH command:

ssh -oHostKeyAlgorithms=+ssh-dss [email protected]

You can also add a host pattern in your ~/.ssh/config so you don't have to specify the key algorithm every time:

Host nas
  HostName 192.168.8.109
  HostKeyAlgorithms=+ssh-dss

This has the added benefit that you don't need to type out the IP address. Instead, ssh will recognize the host nas and know where to connect to. Of course you can use any other name in its stead.


Editing the ~/.ssh/config file is the best option. If you have a number of hosts to connect to on the same subnet you can use the following method to avoid entering each host in the file:

 Host 192.168.8.*
  HostKeyAlgorithms=+ssh-dss

This works great for me as I have a number of Brocade switches to manage and they started complaining about the Host key after I moved to Ubuntu 16.04.


If you want to use newer OpenSSH to connect to deprecated servers:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss my.host.com

Add -v if you want to see what's happening, and -o HostKeyAlgorithms=ssh-dss if it still doesn't work:

ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 my.host.com

You can also, of course, edit /etc/ssh/ssh_config or ~/.ssh/ssh_config, and add:

Host my.host.com *.myinsecure.net 192.168.1.* 192.168.2.*
    HostKeyAlgorithms ssh-dss
    KexAlgorithms diffie-hellman-group1-sha1    

https://forum.ctwug.za.net/t/fyi-openssh-to-access-rbs-openssh-7/6069 mentions the following fix on Mikrotik Routerboards:

/ip ssh set strong-crypto=yes

(Nothing this here because this answer also comes up on web searches when looking for a similar error message.)

Tags:

Ssh