SSH to CentOS Server – Error “No Matching Host Key Type Found”

centos

I just wanted to share a fix for the annoying SSH error you get on older versions of Linux. I got this error when connecting to a Centos 6.9 x64 vanilla installation.

Step 1 – Validate the Error

When you attempt to SSH to the server you will get this error:

Bash
ssh [email protected]

Unable to negotiate with 69.28.67.189 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

# Note: This IP address no longer exists

This error means there’s a mismatch in the cryptographic keys the SSH client (OpenSSH) is willing to use and the keys the server (CentOS 6.9) is offering.

  • Host Keys:
    Connecting to a server via SSH presents a unique “host key.” My local laptop stores this key and verifies it on subsequent connections to ensure you’re talking to the same server (and not a malicious imposter—man-in-the-middle attack).
  • Algorithms:
    There are different cryptographic algorithms for generating host keys. Older versions of SSH (like the one used in the CentOS 6.9 server) offer outdated or less secure algorithms, like ssh-rsa and ssh-dss. Newer clients prioritize stronger algorithms and may refuse connections if only weaker options are available.

Step 2 – How to Fix Error

This command temporarily overrides your client’s default behavior:

Bash
 ssh -oHostKeyAlgorithms=+ssh-dss [email protected]
 
 #Example Output
 #The authenticity of host '69.28.67.189 (69.28.67.189)' can't be established.
 #DSA key fingerprint is SHA256:TBH5kXiO1PwljvFLAduE1+ddrCRjtxESeRo8O2K+FCs.
 #This key is not known by any other names
 #Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
 #Warning: Permanently added '69.28.67.189' (DSA) to the list of known hosts.
 [email protected]'s password:
 [root@CentosEOLDEMO ~]#


-oHostKeyAlgorithms=+ssh-dss: Tells your SSH client to explicitly include ssh-dss in the list of acceptable host key algorithms. This lets it successfully negotiate with the older CentOS server.

Step 3 – Need a permanent Fix?

If you need this fix to be permanent, you can update your ssh config files to always allow ssh-dss. While not always the best security practice, some users may have no other choice but to so this.

Client-Side Configuration (Less Secure):

You can modify your SSH client configuration (~/.ssh/config) to permanently accept ssh-dss. This is the simplest solution, but it’s important to be aware that it lowers your security slightly.

  • Edit Config: Open your SSH config file (~/.ssh/config) in a text editor. If it doesn’t exist, create it.
  • Add Lines: Add the following lines to the file:

Bash
Host 69.28.67.189   # Replace with your server's IP or hostname
    HostKeyAlgorithms +ssh-dss

  • Save: Save the file and exit. Now, your client will always use ssh-dss when connecting to that specific server.

Server-Side Configuration (Recommended):

This involves updating the SSH configuration on your CentOS 6.9 server.

  • SSH Configuration: Edit the SSH daemon configuration file, usually located at /etc/ssh/sshd_config.
  • HostKey Line: Look for a line starting with HostKey. Comment out any lines using ssh-dss or ssh-rsa and add a line for a more secure algorithm, like:
Bash
HostKey /etc/ssh/ssh_host_ecdsa_key  # ECDSA key
# Or
HostKey /etc/ssh/ssh_host_ed25519_key  # Ed25519 key

  • Generate Keys: If the specified keys don’t exist, generate them with these commands:

Bash
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
# Or
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
  1. Restart SSHD: Restart the SSH daemon to apply the changes:

Bash
service sshd restart

3. Upgrading CentOS (Best Long-Term Solution):

If possible, upgrading your CentOS server to a newer version (CentOS 7 or 8) is the best long-term solution. This would provide:

  • Security:
    Newer OpenSSH versions with stronger default algorithms.
  • Maintenance:
    Continued updates and support for your operating system.

Why It Happens

This issue arises due to a combination of factors:

  1. Older Server:
    CentOS 6.9 is an older distribution, and its SSH configuration has outdated defaults.
  2. Security Updates:
    Your SSH client (and modern OpenSSH in general) has been updated over time to prioritize stronger security. It may disable or deprecate older algorithms, like ssh-rsa and ssh-dss due to potential vulnerabilities.

Important Considerations:

  • Temporary Solution:
    The command you used is a workaround. It’s not ideal for long-term use because ssh-dss is considered less secure.
  • Upgrading:
    If possible, consider upgrading your CentOS server to a newer version. This would likely allow it to use more modern and secure host key algorithms.
  • Alternative:
    If upgrading isn’t an option, you can configure your client to accept permanently ssh-dss. However, do so with caution, as it might weaken the security of your SSH connections.
Elsewhere On TurboGeek:  Installing Glances on Red Hat Enterprise Linux (RHEL) and Compatible Distributions

Richard.Bailey

Richard Bailey, a seasoned tech enthusiast, combines a passion for innovation with a knack for simplifying complex concepts. With over a decade in the industry, he's pioneered transformative solutions, blending creativity with technical prowess. An avid writer, Richard's articles resonate with readers, offering insightful perspectives that bridge the gap between technology and everyday life. His commitment to excellence and tireless pursuit of knowledge continues to inspire and shape the tech landscape.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »