Module SSH no matching host key type found & Handshake failed: no matching host key format

Jerome · September 30, 2022, 6:47am

Hello,

I use the module SSH in my scenario, and from a few moments, the connexion to my server not work.

I Look, and I see that, the module ssh in make can’t connect to my server. I look the log on my server and I see :
Unable to negotiate with 54.78.149.203 port 57967: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

I read on internet, and a found some solution, experience, but nothing work …

I try to update the ~/.ssh/config file with
host *
HostKeyAlgorithms +ssh-rsa

but it s not work.

Are you a best practice to retablish the connection to my server ?

Cdt

make_expert · September 30, 2022, 10:57am

Hi @Jerome

Post a few screenshots of how you set up the connection or module, and hide credentials when you post this.

Jerome · September 30, 2022, 11:54am

I have try to recreate a pair of ssh2:256 key …

Jerome · September 30, 2022, 12:53pm

The log of ssh in debug mode when I try to valid the connexion beewten Make an my server …

sshd[12179]: debug3: fd 5 is not O_NONBLOCK
sshd[12179]: debug1: Forked child 12290.
sshd[12179]: debug3: send_rexec_state: entering fd = 8 config len 3364
sshd[12179]: debug3: ssh_msg_send: type 0
sshd[12179]: debug3: send_rexec_state: done
sshd[12290]: debug3: oom_adjust_restore
sshd[12290]: debug1: Set /proc/self/oom_score_adj to 0
sshd[12290]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
sshd[12290]: debug1: inetd sockets after dupping: 4, 4
sshd[12290]: Connection from 54.78.149.203 port 43374 on xxx.xxx.xxx.xxxx port xxxx rdomain “”
sshd[12290]: debug1: Local version string SSH-2.0-OpenSSH_9.0p1 Debian-1+b1
sshd[12290]: debug1: Remote protocol version 2.0, remote software version ssh2js1.5.0
sshd[12290]: debug1: compat_banner: no match: ssh2js1.5.0
sshd[12290]: debug2: fd 4 setting O_NONBLOCK
sshd[12290]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox
sshd[12290]: debug2: Network child is on pid 12291
sshd[12290]: debug3: preauth child monitor started
sshd[12290]: debug3: privsep user:group 107:65534 [preauth]
sshd[12290]: debug1: permanently_set_uid: 107/65534 [preauth]
sshd[12290]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
sshd[12290]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
sshd[12290]: debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
sshd[12290]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
sshd[12290]: debug3: send packet: type 20 [preauth]
sshd[12290]: debug1: SSH2_MSG_KEXINIT sent [preauth]
sshd[12290]: debug3: receive packet: type 20 [preauth]
sshd[12290]: debug1: SSH2_MSG_KEXINIT received [preauth]
sshd[12290]: debug2: local server KEXINIT proposal [preauth]
sshd[12290]: debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com ,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 [preauth]
sshd[12290]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
sshd[12290]: debug2: ciphers ctos: chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com ,aes256-gcm@openssh.com [preauth]
sshd[12290]: debug2: ciphers stoc: chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com ,aes256-gcm@openssh.com [preauth]
sshd[12290]: debug2: MACs ctos: umac-64-etm@openssh.com ,umac-128-etm@openssh.com ,hmac-sha2-256-etm@openssh.com ,hmac-sha2-512-etm@openssh.com ,hmac-sha1-etm@openssh.com ,umac-64@openssh.com ,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
sshd[12290]: debug2: MACs stoc: umac-64-etm@openssh.com ,umac-128-etm@openssh.com ,hmac-sha2-256-etm@openssh.com ,hmac-sha2-512-etm@openssh.com ,hmac-sha1-etm@openssh.com ,umac-64@openssh.com ,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
sshd[12290]: debug2: compression ctos: none,zlib@openssh.com [preauth]
sshd[12290]: debug2: compression stoc: none,zlib@openssh.com [preauth]
sshd[12290]: debug2: languages ctos: [preauth]
sshd[12290]: debug2: languages stoc: [preauth]
sshd[12290]: debug2: first_kex_follows 0 [preauth]
sshd[12290]: debug2: reserved 0 [preauth]
sshd[12290]: debug2: peer client KEXINIT proposal [preauth]
sshd[12290]: debug2: KEX algorithms: curve25519-sha256@libssh.org,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512 [preauth]
sshd[12290]: debug2: host key algorithms: ssh-rsa,ssh-dss [preauth]
sshd[12290]: debug2: ciphers ctos: aes256-gcm@openssh.com ,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc [preauth]
sshd[12290]: debug2: ciphers stoc: aes256-gcm@openssh.com ,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc [preauth]
sshd[12290]: debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5 [preauth]
sshd[12290]: debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5 [preauth]
sshd[12290]: debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
sshd[12290]: debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
sshd[12290]: debug2: languages ctos: [preauth]
sshd[12290]: debug2: languages stoc: [preauth]
sshd[12290]: debug2: first_kex_follows 0 [preauth]
sshd[12290]: debug2: reserved 0 [preauth]
sshd[12290]: debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth]
sshd[12290]: debug1: kex: host key algorithm: (no match) [preauth]
sshd[12290]: Unable to negotiate with 54.78.149.203 port 43374: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
sshd[12290]: debug1: do_cleanup [preauth]
sshd[12290]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
sshd[12290]: debug1: monitor_read_log: child log fd closed
sshd[12290]: debug3: mm_request_receive: entering
sshd[12290]: debug1: do_cleanup
sshd[12290]: debug3: PAM: sshpam_thread_cleanup entering
sshd[12290]: debug1: Killing privsep child 12291
sshd[12290]: debug1: audit_event: unhandled event 12

optimal_prime · December 5, 2022, 6:36pm

Did you ever get this resolved? I have a very similar issue that only started after I upgraded to the latest Ubuntu and made the fatal error of allowing the update to change the sshd config file.

But yeah I’m in the same boat:
sshd[39522]: Unable to negotiate with 54.80.47.193 port 7013: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

Someone please help, I’ve been trying to figure this out for hours and haven’t made any progress. It worked for months before this and I have a deadline tomorrow

Drew_QCK · March 10, 2023, 5:41pm

Did you get this resolved? Trying to connect an SFTP server and running into same issues.

Axel_Priam · April 7, 2023, 11:45am

Hi,
Hi have exact same issue with SSH module, how did you solve this issue please ?
Thanks

Jerome · April 7, 2023, 11:57am

I have not found some solution …

Runcorn · April 7, 2023, 12:12pm

I will have to try this out and see if I can figure out the issue pertaining this.

Few questions though,

Are you using any algorithm values in SSH module?
Would it be possible for you to share content of ~/.ssh/config file?

kkr_office · September 13, 2023, 2:36pm

I have the same issue. In Addition when I try to switch to Private Key I get another error “Invalid private key in parameter ‘privateKey’.”

Somebody any ideas?

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no


# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

X11Forwarding no
PrintMotd no
ClientAliveInterval 400
ClientAliveCountMax 3

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*


AllowUsers REDACTED


Subsystem       sftp    internal-sftp
Match user REDACTED
  ForceCommand internal-sftp