Unable to negotiate with XX XXX XX XX no matching host key type found Their offer ssh-dss

Question

I am trying to create a git repository on my web host and clone it on my computer  Here s what I did    I created a repository on the remote server  I generated a key pair  ssh-keygen -t dsa  I added my key to ssh-agent  I copied to the server public key in    ssh    And then  after an attempt to run the command git clone ssh   user host path-to-repository  I get an error      Unable to negotiate with XX XXX XX XX  no matching host key type found  Their offer  ssh-dss   fatal  Could not read from remote repository    Please make sure you have the correct access rights and the repository exists    What does that mean

User · Accepted Answer

The recent openssh version deprecated DSA keys by default. You should suggest to your GIT provider to add some reasonable host key. Relying only on DSA is not a good idea.

As a workaround, you need to tell your ssh client that you want to accept DSA host keys, as described in the official documentation for legacy usage. You have few possibilities, but I recommend to add these lines into your ~/.ssh/config file:

Host your-remote-host
    HostkeyAlgorithms +ssh-dss

Other possibility is to use environment variable GIT_SSH to specify these options:

GIT_SSH_COMMAND="ssh -oHostKeyAlgorithms=+ssh-dss" git clone ssh://user@host/path-to-repository

User · Answer

If you re like me  and would rather not make this security hole system or user-wide  then you can add a config option to any git repos that need this by running this command in those repos   note only works with git version    2 10  released 2016-09-04   git config core sshCommand  ssh -oHostKeyAlgorithms  ssh-dss    This only works after the repo is setup however  If you re not comfortable adding a remote manually  and just want to clone  then you can run the clone like this   GIT SSH COMMAND  ssh -oHostKeyAlgorithms  ssh-dss  git clone ssh   user host path-to-repository   then run the first command to make it permanent   If you don t have the latest  and still would like to keep the hole as local as possible I recommend putting  export GIT SSH COMMAND  ssh -oHostKeyAlgorithms  ssh-dss    in a file somewhere  say git ssh allow dsa keys sh  and sourceing it when needed

User · Answer

How would one specify multiple algorithms   I ask because git just updated on my work laptop   Windows 10  using the official Git for Windows build   and I got this error when I tried to push a project branch to my Azure DevOps remote   I tried to push --set-upstream and got this   Unable to negotiate with 20 44 80 98 port 22  no matching key exchange method found  Their offer  diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 fatal  Could not read from remote repository   Please make sure you have the correct access rights and the repository exists    So how would one implement the suggestions above allowing for both of those    As a quick get-it-done  I used  golvok s solution with group14 and it worked  but I really don t know if 1 or 14 is better  etc

User · Answer

For me this worked   added into  ssh config    Host   HostkeyAlgorithms  ssh-dss PubkeyAcceptedKeyTypes  ssh-dss

User · Answer

You either follow above approach or this one  Create the config file in the  ssh directory and add these line   host xxx xxx  Hostname xxx xxx  IdentityFile    ssh id rsa  User xxx  KexAlgorithms  diffie-hellman-group1-sha1

User · Answer

You can also add -oHostKeyAlgorithms  ssh-dss in your ssh line   ssh -oHostKeyAlgorithms  ssh-dss user host

User · Answer

I want to collaborate a little with the solution for the server side  So  the server is saying it does not support DSA  this is because the openssh client does not activate it by default      OpenSSH 7 0 and greater similarly disable the ssh-dss  DSA  public key algorithm  It too is weak and we recommend against its use     So  to fix this this in the server side I should activate other Key algorithms like RSA o ECDSA  I just had this problem with a server in a lan  I suggest the following   Update the openssh   yum update openssh-server   Merge new configurations in the sshd config if there is a sshd config rpmnew   Verify there are hosts keys at  etc ssh   If not generate new ones  see man ssh-keygen     ll  etc ssh  total 580 -rw-r--r--  1 root root     553185 Mar  3  2017 moduli -rw-r--r--  1 root root       1874 Mar  3  2017 ssh config drwxr-xr-x  2 root root       4096 Apr 17 17 56 ssh config d -rw-------  1 root root       3887 Mar  3  2017 sshd config -rw-r-----  1 root ssh keys    227 Aug 30 15 33 ssh host ecdsa key -rw-r--r--  1 root root        162 Aug 30 15 33 ssh host ecdsa key pub -rw-r-----  1 root ssh keys    387 Aug 30 15 33 ssh host ed25519 key -rw-r--r--  1 root root         82 Aug 30 15 33 ssh host ed25519 key pub -rw-r-----  1 root ssh keys   1675 Aug 30 15 33 ssh host rsa key -rw-r--r--  1 root root        382 Aug 30 15 33 ssh host rsa key pub   Verify in the  etc ssh sshd config the HostKey configuration  It should allow the configuration of RSA and ECDSA   If all of them are commented by default it will allow too the RSA  see in man sshd config the part of HostKey      HostKey for protocol version 1  HostKey  etc ssh ssh host key   HostKeys for protocol version 2 HostKey  etc ssh ssh host rsa key  HostKey  etc ssh ssh host dsa key HostKey  etc ssh ssh host ecdsa key HostKey  etc ssh ssh host ed25519 key   For the client side  create a key for ssh  not a DSA like in the question  by just doing this   ssh-keygen   After this  because there are more options than ssh-dss DSA  the client openssh    v7  should connect with RSA or better algorithm   Here another good article   This is my first question answered  I welcome suggestions  D

[ssh] Unable to negotiate with XX.XXX.XX.XX: no matching host key type found. Their offer: ssh-dss

Examples related to ssh

Examples related to web-hosting