Module SSH no matching host key type found & Handshake failed: no matching host key format


I use the module SSH in my scenario, and from a few moments, the connexion to my server not work.

I Look, and I see that, the module ssh in make can’t connect to my server. I look the log on my server and I see :
Unable to negotiate with port 57967: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

I read on internet, and a found some solution, experience, but nothing work …

I try to update the ~/.ssh/config file with
host *
HostKeyAlgorithms +ssh-rsa

but it s not work.

Are you a best practice to retablish the connection to my server ?


Hi @Jerome

Post a few screenshots of how you set up the connection or module, and hide credentials when you post this.

1 Like


I have try to recreate a pair of ssh2:256 key …

The log of ssh in debug mode when I try to valid the connexion beewten Make an my server …

sshd[12179]: debug3: fd 5 is not O_NONBLOCK
sshd[12179]: debug1: Forked child 12290.
sshd[12179]: debug3: send_rexec_state: entering fd = 8 config len 3364
sshd[12179]: debug3: ssh_msg_send: type 0
sshd[12179]: debug3: send_rexec_state: done
sshd[12290]: debug3: oom_adjust_restore
sshd[12290]: debug1: Set /proc/self/oom_score_adj to 0
sshd[12290]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
sshd[12290]: debug1: inetd sockets after dupping: 4, 4
sshd[12290]: Connection from port 43374 on port xxxx rdomain “”
sshd[12290]: debug1: Local version string SSH-2.0-OpenSSH_9.0p1 Debian-1+b1
sshd[12290]: debug1: Remote protocol version 2.0, remote software version ssh2js1.5.0
sshd[12290]: debug1: compat_banner: no match: ssh2js1.5.0
sshd[12290]: debug2: fd 4 setting O_NONBLOCK
sshd[12290]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox
sshd[12290]: debug2: Network child is on pid 12291
sshd[12290]: debug3: preauth child monitor started
sshd[12290]: debug3: privsep user:group 107:65534 [preauth]
sshd[12290]: debug1: permanently_set_uid: 107/65534 [preauth]
sshd[12290]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
sshd[12290]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
sshd[12290]: debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
sshd[12290]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
sshd[12290]: debug3: send packet: type 20 [preauth]
sshd[12290]: debug1: SSH2_MSG_KEXINIT sent [preauth]
sshd[12290]: debug3: receive packet: type 20 [preauth]
sshd[12290]: debug1: SSH2_MSG_KEXINIT received [preauth]
sshd[12290]: debug2: local server KEXINIT proposal [preauth]
sshd[12290]: debug2: KEX algorithms:,curve25519-sha256,,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 [preauth]
sshd[12290]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
sshd[12290]: debug2: ciphers ctos:,aes128-ctr,aes192-ctr,aes256-ctr,, [preauth]
sshd[12290]: debug2: ciphers stoc:,aes128-ctr,aes192-ctr,aes256-ctr,, [preauth]
sshd[12290]: debug2: MACs ctos:,,,,,,,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
sshd[12290]: debug2: MACs stoc:,,,,,,,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
sshd[12290]: debug2: compression ctos: none, [preauth]
sshd[12290]: debug2: compression stoc: none, [preauth]
sshd[12290]: debug2: languages ctos: [preauth]
sshd[12290]: debug2: languages stoc: [preauth]
sshd[12290]: debug2: first_kex_follows 0 [preauth]
sshd[12290]: debug2: reserved 0 [preauth]
sshd[12290]: debug2: peer client KEXINIT proposal [preauth]
sshd[12290]: debug2: KEX algorithms:,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512 [preauth]
sshd[12290]: debug2: host key algorithms: ssh-rsa,ssh-dss [preauth]
sshd[12290]: debug2: ciphers ctos:,,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc [preauth]
sshd[12290]: debug2: ciphers stoc:,,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc [preauth]
sshd[12290]: debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5 [preauth]
sshd[12290]: debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5 [preauth]
sshd[12290]: debug2: compression ctos: none,,zlib [preauth]
sshd[12290]: debug2: compression stoc: none,,zlib [preauth]
sshd[12290]: debug2: languages ctos: [preauth]
sshd[12290]: debug2: languages stoc: [preauth]
sshd[12290]: debug2: first_kex_follows 0 [preauth]
sshd[12290]: debug2: reserved 0 [preauth]
sshd[12290]: debug1: kex: algorithm: [preauth]
sshd[12290]: debug1: kex: host key algorithm: (no match) [preauth]
sshd[12290]: Unable to negotiate with port 43374: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[12290]: debug1: do_cleanup [preauth]
sshd[12290]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
sshd[12290]: debug1: monitor_read_log: child log fd closed
sshd[12290]: debug3: mm_request_receive: entering
sshd[12290]: debug1: do_cleanup
sshd[12290]: debug3: PAM: sshpam_thread_cleanup entering
sshd[12290]: debug1: Killing privsep child 12291
sshd[12290]: debug1: audit_event: unhandled event 12

Did you ever get this resolved? I have a very similar issue that only started after I upgraded to the latest Ubuntu and made the fatal error of allowing the update to change the sshd config file.

But yeah I’m in the same boat:
sshd[39522]: Unable to negotiate with port 7013: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

Someone please help, I’ve been trying to figure this out for hours and haven’t made any progress. It worked for months before this and I have a deadline tomorrow :frowning:

Did you get this resolved? Trying to connect an SFTP server and running into same issues.

Hi have exact same issue with SSH module, how did you solve this issue please ?

I have not found some solution …

I will have to try this out and see if I can figure out the issue pertaining this.

Few questions though,

  1. Are you using any algorithm values in SSH module?
  2. Would it be possible for you to share content of ~/.ssh/config file?
1 Like

I have the same issue. In Addition when I try to switch to Private Key I get another error “Invalid private key in parameter ‘privateKey’.”

Somebody any ideas?

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

X11Forwarding no
PrintMotd no
ClientAliveInterval 400
ClientAliveCountMax 3

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*


Subsystem       sftp    internal-sftp
Match user REDACTED
  ForceCommand internal-sftp


I have the same issue with “Handshake failed: no matching host key format”. Does anyone know how to fix this problem?

Hi @Mateusz1 ,

Your problem is not extensively described, but I think that there is something interesting here.



Hey folks!

After being affected myself, I did some trial and error and found a solution.

Manually setting the Server Host key worked for me!


Make confirmed it’s a bug on their end, but this should work for now


btw I heard back from the Make team that this is solved just in case someone comes across the thread :wink:

1 Like