Thursday, 12 May 2022

[Solved] SSH and Gitlab negotiate error "no matching host key type found"

When using new Linux operating systems like Ubuntu 22.04 you may have trouble with SSH when you want to connect to old Linux servers.

Unable to negotiate with ***.***.***.*** port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

This error can be encountered when you directly access an old server via SSH. Or when you use Git, SVN, or any other software that uses the SSH protocol.


To be able to make an ssh connection, the Server and the client need to negotiate a secure connection encryption method. That is to find an encryption method that both the server and the client support. OpenSSH in older OS versions like Centos 6 only supports the old encryption standards ssh-rsa and ssh-dss. These 2 encryption standards are outdated and potentially dangerous. Therefore, the new version of OpenSSH disables these encryptions by default. Newer encryption commonly used is ssh-ed25519, ecdsa-sha2 ...


To solve this error, you need to configure ssh on the new server to accept the old encryption standards as ssh-rsa or ssh-dss (just 1 is enough). We suggest 2 solutions to do just that.

Solution 1:

Enable dss or rsa encryption for ssh on your new server.

To do so open the file "~/.ssh/config"

vi ~/.ssh/config

Then add the following content to the file (change ssh-rsa to ssh-dss if your old server only support it)

Host *
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

Done ! Now you can connect ssh to old servers via terminal normally. However, if you are using Git over ssh with a privateKey file, this will not work (to solve see solution below).

Tip: you can also restrict opening this encryption method only to a certain ip by substituting that ip in the "Host: oldserverIP" section. This will make your server more secure.

Solution 2:

Enable dss or rsa encryption only when a connection is needed by adding a parameter to the ssh connect statement.




ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa

Done !

Fix negotiate error for Git/Gitlab via ssh privateKey file

With git or edit the config file as follows

vi yourProjectPath/.git/config

        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
sshCommand =  ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa  -oIdentitiesOnly=yes -i /yourPath/privateKeyFile.ppk -F /dev/null
Done ! Your Git can now connect to the server normally and it automatically uses the privateKey file to log in instead of having to enter a password.

0 nhận xét:

Post a Comment