Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[gentoo-user] ssh problem

72 views
Skip to first unread message

Philip Webb

unread,
Dec 26, 2021, 11:50:04 AM12/26/21
to
I want to login to a remote site <aaaaa.bbbbbbbb.cc> using 'ssh'.
The response I get is "Unable to negotiate with <nnn.nnn.nnn.n> port <nn>:
no matching host key type found. Their offer: ssh-rsa,ssh-dss".
Yesterday, I updated 'openssh' :

Installed versions: 8.8_p1-r4^t([2021-12-25 06:12:24])
(X ssl -X509 -audit -debug -hpn -kerberos -ldns -libedit -livecd -pam -pie -scp -sctp -security-key -selinux -static -test -xmss ABI_MIPS="-n32" KERNEL="linux")

Occasionally, I have had a similar problem trying to do this,
but ordinarily it has worked smoothly.

Does anyone have helpful suggestions how to get past the blockage ?

--
========================,,============================================
SUPPORT ___________//___, Philip Webb
ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto
TRANSIT `-O----------O---' purslowatchassdotutorontodotca

Branko Grubić

unread,
Dec 26, 2021, 12:00:05 PM12/26/21
to
On Sun, 2021-12-26 at 11:42 -0500, Philip Webb wrote:
> I want to login to a remote site <aaaaa.bbbbbbbb.cc> using 'ssh'.
> The response I get is "Unable to negotiate with <nnn.nnn.nnn.n> port
> <nn>:
> no matching host key type found. Their offer: ssh-rsa,ssh-dss".
> Yesterday, I updated 'openssh' :
>
>   Installed versions:  8.8_p1-r4^t([2021-12-25 06:12:24])
>    (X ssl -X509 -audit -debug -hpn -kerberos -ldns -libedit -livecd -
> pam -pie -scp -sctp -security-key -selinux -static -test -xmss
> ABI_MIPS="-n32" KERNEL="linux")
>
> Occasionally, I have had a similar problem trying to do this,
> but ordinarily it has worked smoothly.
>
> Does anyone have helpful suggestions how to get past the blockage ?
>
Hi,

Have you looked at news 2021-10-08-openssh-rsa-sha1[1]


Could be related.

Regards,
Branko

[1]
https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=8dea6aa24c3ec9ee9a391fb602733c1a803a1ad1

Neil Bothwick

unread,
Dec 26, 2021, 12:10:04 PM12/26/21
to
On Sun, 26 Dec 2021 11:42:41 -0500, Philip Webb wrote:

> I want to login to a remote site <aaaaa.bbbbbbbb.cc> using 'ssh'.
> The response I get is "Unable to negotiate with <nnn.nnn.nnn.n> port
> <nn>: no matching host key type found. Their offer: ssh-rsa,ssh-dss".
> Yesterday, I updated 'openssh' :

It sounds like the host may be running an old version of sshd that only
offers ciphers that are now disabled by default in newer releases. You
can get round this by enabling those ciphers for this host, with
something like this in ssh_config

Host aaaaa.bbbbbbbb.cc
Ciphers +ssh-rsa


--
Neil Bothwick

Last words of a Windows user: = Why does that work now?

Michael

unread,
Dec 26, 2021, 1:10:04 PM12/26/21
to
On Sunday, 26 December 2021 17:00:46 GMT Neil Bothwick wrote:
> On Sun, 26 Dec 2021 11:42:41 -0500, Philip Webb wrote:
> > I want to login to a remote site <aaaaa.bbbbbbbb.cc> using 'ssh'.
> > The response I get is "Unable to negotiate with <nnn.nnn.nnn.n> port
> > <nn>: no matching host key type found. Their offer: ssh-rsa,ssh-dss".
>
> > Yesterday, I updated 'openssh' :
> It sounds like the host may be running an old version of sshd that only
> offers ciphers that are now disabled by default in newer releases. You
> can get round this by enabling those ciphers for this host, with
> something like this in ssh_config
>
> Host aaaaa.bbbbbbbb.cc
> Ciphers +ssh-rsa

The initial error is about "no matching host key type", so the option needed
would be:

HostKeyAlgorithms +ssh-rsa

After which another error may pop up, probably about Ciphers. ;-)
signature.asc

Grant Taylor

unread,
Dec 26, 2021, 2:30:03 PM12/26/21
to
On 12/26/21 9:42 AM, Philip Webb wrote:
> I want to login to a remote site <aaaaa.bbbbbbbb.cc> using 'ssh'.
> The response I get is "Unable to negotiate with <nnn.nnn.nnn.n> port <nn>:
> no matching host key type found. Their offer: ssh-rsa,ssh-dss".
> Yesterday, I updated 'openssh' :

Michael's pointing in the proper direction.

Check out the OpenSSH Legacy Options page for more details. I've
successfully used this information to log into Red Hat 5.x from the
'90s. (Not contemporary RHEL.)

Link - OpenSSH: Legacy Options
- https://www.openssh.com/legacy.html

Note: This works exceedingly well in the ssh client config file
(~/.ssh/config or /etc/ssh/ssh_config). Using the config file means
that anything that uses OpenSSH commands benefits from and inherits the
configuration parameters; rsync, git, what have you.



--
Grant. . . .
unix || die

Neil Bothwick

unread,
Dec 26, 2021, 3:20:03 PM12/26/21
to
On Sun, 26 Dec 2021 18:07:56 +0000, Michael wrote:

> > Host aaaaa.bbbbbbbb.cc
> > Ciphers +ssh-rsa
>
> The initial error is about "no matching host key type", so the option
> needed would be:
>
> HostKeyAlgorithms +ssh-rsa

You're right, I was looking at the wrong file when I looked for how I
dealt with this a while ago.


--
Neil Bothwick

Top Oxymorons Number 21: "Now, then ..."

Philip Webb

unread,
Dec 27, 2021, 6:10:04 AM12/27/21
to
211226 Michael wrote:
> On Sun, 26 Dec 2021 11:42:41 -0500, Philip Webb wrote:
>> I want to login to a remote site <aaaaa.bbbbbbbb.cc> using 'ssh'.
>> The response I get is "Unable to negotiate with <nnn.nnn.nnn.n> port
>> <nn>: no matching host key type found. Their offer: ssh-rsa,ssh-dss".
>> Yesterday, I updated 'openssh' :
> It sounds like the host may be running an old version of sshd
> that only offers ciphers that are now disabled by default in newer releases.
> You can get round this by enabling those ciphers for this host,
> with something like this in ssh_config : 'HostKeyAlgorithms +ssh-rsa'.

Thanks to all the respondents : adding that line makes it work again.
I've made a note of the Ssh help site & updated by own nn too.
0 new messages