cipher - unable to negotiate with port 22: no matching host key type found. their offer: ssh-dss
Unable to negotiate with XX.XXX.XX.XX: no matching host key type found. Their offer: ssh-dss (4)
I am trying to create a git repository on my web host and clone it on my computer. Here's what I did:
- I created a repository on the remote server.
I generated a key pair:
ssh-keygen -t dsa.
- I added my key to ssh-agent.
I copied to the server public key in
And then, after an attempt to run the command
git clone ssh://[email protected]/path-to-repository
, I get an error:
Unable to negotiate with XX.XXX.XX.XX: no matching host key type found. Their offer: ssh-dss
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.
What does that mean?
For me this worked: (added into
Host * HostkeyAlgorithms +ssh-dss PubkeyAcceptedKeyTypes +ssh-dss
I want to collaborate a little with the solution for the server side. So, the server is saying it does not support DSA, this is because the openssh client does not activate it by default :
OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.
So, to fix this this in the server side I should activate other Key algorithms like RSA o ECDSA. I just had this problem with a server in a lan. I suggest the following:
Update the openssh:
yum update openssh-server
Merge new configurations in the sshd_config if there is a sshd_config.rpmnew.
Verify there are hosts keys at /etc/ssh/. If not generate new ones, see
$ ll /etc/ssh/ total 580 -rw-r--r--. 1 root root 553185 Mar 3 2017 moduli -rw-r--r--. 1 root root 1874 Mar 3 2017 ssh_config drwxr-xr-x. 2 root root 4096 Apr 17 17:56 ssh_config.d -rw-------. 1 root root 3887 Mar 3 2017 sshd_config -rw-r-----. 1 root ssh_keys 227 Aug 30 15:33 ssh_host_ecdsa_key -rw-r--r--. 1 root root 162 Aug 30 15:33 ssh_host_ecdsa_key.pub -rw-r-----. 1 root ssh_keys 387 Aug 30 15:33 ssh_host_ed25519_key -rw-r--r--. 1 root root 82 Aug 30 15:33 ssh_host_ed25519_key.pub -rw-r-----. 1 root ssh_keys 1675 Aug 30 15:33 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Aug 30 15:33 ssh_host_rsa_key.pub
Verify in the /etc/ssh/sshd_config the HostKey configuration. It should allow the configuration of RSA and ECDSA. (If all of them are commented by default it will allow too the RSA, see in
the part of HostKey).
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key
For the client side, create a key for ssh (not a DSA like in the question) by just doing this:
After this, because there are more options than ssh-dss(DSA) the client openssh (>=v7) should connect with RSA or better algorithm.
This is my first question answered, I welcome suggestions :D .
The recent openssh version deprecated DSA keys by default. You should suggest to your GIT provider to add some reasonable host key. Relying only on DSA is not a good idea.
As a workaround, you need to tell your
client that you want to accept DSA host keys, as described in the
official documentation for legacy usage
. You have few possibilities, but I recommend to add these lines into your
Host your-remote-host HostkeyAlgorithms +ssh-dss
Other possibility is to use environment variable
to specify these options:
GIT_SSH_COMMAND="ssh -oHostKeyAlgorithms=+ssh-dss" git clone ssh://[email protected]/path-to-repository
You can also add
in your ssh line:
ssh -oHostKeyAlgorithms=+ssh-dss [email protected]