SSH problems
I am trying to connect to a remote server by SSH, using keys not passwords, but every time I try to connect I get this message: Unable to negotiate with 82.917.814.129: no matching host key type found. Their offer: ssh-dss
I used to be able to connect to them so what has changed? Is it something at my end or theirs? I don’t control the server; I’m just a user and I’ve not changed anything on my side. Bryan Edwards You say you haven’t changed anything, but I suspect you have upgraded to a newer version of OpenSSH as part of your routine system updates. OpenSSH 7.0 changed the way it handles some of the older, weaker cryptographic protocols. They are still supported by OpenSSH but they are disabled by default. What has happened to you is that you are trying to connect to a server that only supports the ssh-dss (DSA) public key algorithm, which is considered weak by the OpenSSH developers.
The solution is to enable the ssh-dss algorithm and, because of its weakness, you
should do so only for sites that absolutely need it. If you already have a host entry for this site in either /etc/ssh/ssh_config or ~/.ssh/
config, add this directive to it:
HostkeyAlgorithms +ssh-dss. If you don’t have an entry for this site in either of those files, add one like this: Host 82.917.814.129
HostkeyAlgorithms +ssh-dss
If you usually use the hostname rather than the IP address to connect, you should put that in the host line. If there’s a section starting with
Host * , you must place your entry above it. This is because SSH uses the first entry that matches, so an earlier Host * section would mean that your addition is never seen. If this is a one off connection and you don’t want to add the host to your config file, you can also enable the key algorithm on the command line for a single invocation of SSH. ssh -oHostKeyAlgorithms=+ssh-dss user@ hostname
The + in front of the algorithm’s name means that it’s added to the list of available algorithms, otherwise it would replace the list. This is important because it means that as soon as the site makes a stronger method available, OpenSSH will automatically use that with no action on your part. Omitting the + means you will always use the weaker method. There are similar restrictions on key exchange algorithms, which are handled similarly with the KexAlgorithms setting.