ssh error: no matching host key type found. Their offer: ssh-rsa,ssh-dss

C

CptnBlues63

I use FreeBSD to ssh into my managed switches at work. My old BSD box (FreeBSD xx5.domainname.com 12.2-PRERELEASE FreeBSD 12.2-PRERELEASE r365008 GENERIC amd64) with openssl version: OpenSSH_7.9p1, OpenSSL 1.1.1g-freebsd 21 Apr 2020 connects to my switches without issue.

The hardware on that computer is ancient so I built a replacement using v14 (FreeBSD newxx5 14.0-RELEASE-p3 FreeBSD 14.0-RELEASE-p3 #0: Mon Dec 11 04:56:01 UTC 2023 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64) with openssl version: OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023 is giving me the following error message when I try to ssh into my switches:

Unable to negotiate with xxx.xxx.xxx.45 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

I've done a couple searches but can't seem to find any info on how to fix this permanently. I can't replace the old computer until I get this working. Help! :)

TIA
 
You updated your ssh client?
The server is running the old version of OpenSSH, client running the newer version?
Some of the ciphers, such ast rsa and dss were deprecated because of security.
man ssh says look at /etc/ssh/ssh_config, the Ciphers keyword.

These may help:
security.stackexchange.com

OpenSSH declares ssh-rsa deprecated. What do I do next?

With the 8.2 release of OpenSSH, they have declared that ssh-rsa for SHA-1 will soon be removed from the defaults: Future deprecation notice It is now possible[1] to perform chosen-prefix attacks
security.stackexchange.com security.stackexchange.com
askubuntu.com

How can I force SSH to give an RSA key instead of ECDSA?

Upon the first time accessing a server, how can I force SSH to give me the RSA key and automatically store it if the user approves? Presently it is offering me the ECDSA key. Because I already kn...
askubuntu.com askubuntu.com
 
ssh(1) allows you to specify a lot of options via the -o parameter on the command line. You can use this to specify for example which host key algorithms you want to use. If you don't want to specify this option every time, you can put it in the ssh_config(5) file for your user ~/.ssh/config.
Combined with a host alias, ssh'ing to the switches with the old ssh becomes a breeze.
 
mer said:
You updated your ssh client?
The server is running the old version of OpenSSH, client running the newer version?
Some of the ciphers, such ast rsa and dss were deprecated because of security.
man ssh says look at /etc/ssh/ssh_config, the Ciphers keyword.

These may help:
security.stackexchange.com

OpenSSH declares ssh-rsa deprecated. What do I do next?

With the 8.2 release of OpenSSH, they have declared that ssh-rsa for SHA-1 will soon be removed from the defaults: Future deprecation notice It is now possible[1] to perform chosen-prefix attacks
security.stackexchange.com security.stackexchange.com
askubuntu.com

How can I force SSH to give an RSA key instead of ECDSA?

Upon the first time accessing a server, how can I force SSH to give me the RSA key and automatically store it if the user approves? Presently it is offering me the ECDSA key. Because I already kn...
askubuntu.com askubuntu.com
Click to expand...

I can't update the ssh on the switches. So I need to make the change on my server. I'm sure the client (switch) side is older, I just have no way to update it.



acheron said:
Same problem on my old switch, I put these lines in my .ssh/config file:
Code: 
Host switch1
HostName switch1.somewhere.fr
HostKeyAlgorithms ssh-rsa
PubkeyAcceptedKeyTypes ssh-rsa
User xxx
Click to expand...
I have 100+ switches, is there a way to do it by IP block? Something like 192.168.0.0/24
 
I do something similar to acheron. We have a few ancient machines for various things so, my ~/.ssh/config has lines like
host thatoldone HostKeyAlgorithms=ssh-dss
I ssh into them so infrequently, I forget the syntax, so this keeps me from having to look it up every few months.

And yes, it can be done by IP block. For example on 1 LAN I have a username not used for others. So I have host 10.50.* user <stupid-username>
so that silly username is for every host in the LAN with an IP that begins with 10.50. It's probably in the man page somewhere.
(That's not a criticism, I HATE going through a long, long man page because I don't remember one stupid syntax for something and can't find what I want in the man page, because rather than the syntax, it's me that's stupid. Kate McKinnon said it best, --just a 4 second video. https://srobb.net/stupid.mp4)

So you could do something, say if your switches were all on a LAN of 192.168.x.x
Host 192.168.* HostKeyAlgorithms=ssh-dss
 
CptnBlues63 said:
I can't update the ssh on the switches. So I need to make the change on my server. I'm sure the client (switch) side is older, I just have no way to update it.
Click to expand...
You are logged into your "server" and you are doing "ssh <insertyourswitchaddresshere>", yes?
If so, your ssh from the server is the "client side of the ssh session". That is what I meant and the solutions acheron and others should work.

If the switches are the ones initiating the ssh session, they are the ssh client and you would need to modify your sshd_config on the server to accept ssh-rsa/ssh-dss.
 
mer said:
You are logged into your "server" and you are doing "ssh <insertyourswitchaddresshere>", yes?
If so, your ssh from the server is the "client side of the ssh session". That is what I meant and the solutions acheron and others should work.

If the switches are the ones initiating the ssh session, they are the ssh client and you would need to modify your sshd_config on the server to accept ssh-rsa/ssh-dss.
Click to expand...
yes, that's the syntax:

ssh username@switchIP

My switches are wired into RADIUS and I use my AD credentials to login.

What's the correct modification on my server's sshd_config file?


cracauer@ said:
You might still be able to update the ssh demon in such devices. I did it for my ssh-able powerswitches:

Replacing the old sshd on mFI mPower network power switches

The Ubiquiti Network’s powerswitches have old firmware with an old sshd.
medium.com medium.com
Click to expand...
I'm going to open a ticket with the manufacturer in the very near future to ask about this. If it's possible, I'll do it.
 
CptnBlues63 said:
yes, that's the syntax:

ssh username@switchIP
Click to expand...
Ok, so that command means you are using an ssh client to the sshd server that is on the switch.
Back up in posts #4 and #6 they provide pretty exact solutions.
Whatever system you enter that command to get to the switch (I believe it would be your server from post #1), in the home directory for whatever user you are on that system, there is a .ssh directory. Edit $HOME/.ssh/config as shown in posts #4 and #6 with the specifics of your switches.
 
One other thing I just ran into today. One of those ancient machines was giving me a new error about no matching public key format (I think, I don't remember the error.) Anyway I had to add another line to that host's config in $HOME/.ssh/conf
So now for that host it reads
HostKeyAlgorithms=ssh-dss PubkeyAcceptedKeyTypes=+ssh-rs
So, that might be useful too, though I don't know if it applies to your situation, and as I said, I can't quite remember the error that made me look for that solution.

If it helps though, it's one where I have a public key login and it suddenly began asking my password. After I figured it out, I mentioned it to my boss and he said, oh yeah, there's a workaround. :)

(I'm not complaining about him, he's a fantastic supervisor, it was just funny).
 
scottro Just to clarify you tweaked the .ssh/config on the system you were ssh-ing from (the ssh client side) for the host you were ssh-ing to (the ssh server side), yes?
 
mer said:
scottro Just to clarify you tweaked the .ssh/config on the system you were ssh-ing from (the ssh client side) for the host you were ssh-ing to (the ssh server side), yes?
Click to expand...
Not yet, I'm going to try that now. With an IP block so I don't have to configure a separate instance for each switch. I'll post back if it works.
 
Argh!

Just FYI, I'm in the middle of trying to replace all the certificates on all my switches and we've encountered.....issues. So this is sucking up pretty much 100% of my available cycles. I had to stop that just now or my brain my melt.......lol....so I added this to my ~/.ssh/config

host 192.168.0.0/24
HostKeyAlgorithms ssh-rsa
PubkeyAcceptedKeyTypes ssh-rsa
user myusername

and tried to ssh into a switch and got this error message:

no matching key exchange method found. Their offer: diffie-hellman-group14-sha1

I have to jump into an all staff meeting so can't work on this any further at the moment. Do I add diffie-hellman-group14-sha1 to the end of the two existing ssh-rsa entries? If yes, do I separate them with a space, a comma, a command and a space, something else? Or do I add two new entries?

Thanks btw, appreciate the help a lot!
 
CptnBlues63 said:
Ahh...well that isn't likely to be an option on my switches so I need to do it from the server side.
Click to expand...
"client" in this case is whatever machine you are ssh'ing from to your switches - a ssh client.
and "server" is the machine you connect to, so in this case your switches are the ssh server(s).
So yes - this is exactly the option you need to implement.
 
tingo said:
"client" in this case is whatever machine you are ssh'ing from to your switches - a ssh client.
and "server" is the machine you connect to, so in this case your switches are the ssh server(s).
So yes - this is exactly the option you need to implement.
Click to expand...
Ok so I'm ssh'ing in from my 'client' I use this FreeBSD box for multiple things and think of it as a server. I don't think of my switches as 'servers' because they're switches lol

Adding the following to my ~/.ssh/config on my FreeBSD box fixed the ssh-rsa issue:

host 192.168.0.0/24
HostKeyAlgorithms ssh-rsa
PubkeyAcceptedKeyTypes ssh-rsa
user myusername

But now I'm getting this error: port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1

I've tried adding similar to the /.ssh/config but it didn't fix it. What do I need to do to the ~/.ssh/config on my 'client' in order to fix this next issue?

Thanks!
 
cracauer@ said:
Host 123.123.123.123
KeyAlgorithms +diffie-hellman-group1-sha1
Click to expand...

Ok thanks, tried that and got this error:

/home/username/.ssh/config: line 17: Bad configuration option: keyalgorithms
/home/username/.ssh/config: terminating, 1 bad configuration options
 
The stupid question, but always worth checking. Did you put KeyAlgorithims or HostKeyAlgorithms? If you didn't put HostKeyAlgorithms, that's probably the error. Without claiming to read cracauer@'s mind, I'm guessing he was probably busy and used mental shorthand.
 
scottro said:
The stupid question, but always worth checking. Did you put KeyAlgorithims or HostKeyAlgorithms? If you didn't put HostKeyAlgorithms, that's probably the error. Without claiming to read cracauer@'s mind, I'm guessing he was probably busy and used mental shorthand.
Click to expand...
Actually I posted the first Google result for the error message :D
 
scottro said:
The stupid question, but always worth checking. Did you put KeyAlgorithims or HostKeyAlgorithms? If you didn't put HostKeyAlgorithms, that's probably the error. Without claiming to read cracauer@'s mind, I'm guessing he was probably busy and used mental shorthand.
Click to expand...
I just copied and pasted....lol

So I gave HostKeyAlgorithms a try and it errored....lol Here's what I got:

/home/curtr/.ssh/config line 17: Bad key types '+diffie-hellman-group1-sha1'.
/home/curtr/.ssh/config: terminating, 1 bad configuration options
Here's what I've added to ~/.ssh/config

Host 192.168.0.0/24
HostKeyAlgorithms ssh-rsa
PubkeyAcceptedKeyTypes ssh-rsa
user username

Host 192.168.0.0/24
HostKeyAlgorithms +diffie-hellman-group1-sha1
user username

What am I missing now? Do I need to add "PubkeyAcceptedKeyTypes +diffie-hellman-group1-sha"?
 
tingo said:
You have two stanzas beginning with
Host 192.168.0.0/24 try putting everything into the same stanza instead.
Click to expand...

Ok, removed the second stanza and put the diffie-hellman line in the first one.
Host 192.168.0.0/24
HostKeyAlgorithms ssh-rsa
PubkeyAcceptedKeyTypes ssh-rsa
HostKeyAlgorithms +diffie-hellman-group1-sha1
user username

Tried this and got the following error:

/home/username/.ssh/config line 14: Bad key types '+diffie-hellman-group1-sha1'.
/home/usernam/.ssh/config: terminating, 1 bad configuration options

Thinking it might be a missing line "PubkeyAcceptedKeyType I added a line for that and got this

/home/username/.ssh/config line 14: Bad key types '+diffie-hellman-group1-sha1'.
/home/username/.ssh/config line 15: Bad key types '+diffie-hellman-group1-sha1'.
/home/username/.ssh/config: terminating, 2 bad configuration options

Tried adding the diffie-hellman to original PubkeyAcceptedKeyTypes line and got same errors as above.

What now??
 
You must log in or register to reply here.
Back
Top