Imagine you've just updated your laptop's operating system (OS). Now, you're trying to connect to your old machine (let's call it your "server") using SSH. You use a command like this:
ssh -p 2222 jay@jpudasaini.com.np
ssh: This is the command to initiate an SSH (Secure Shell) connection.-p 2222: This specifies that you're connecting to port 2222, not the default SSH port 22.jay@jpudasaini.com.np: This is your username (jay) and the address of your server (jpudasaini.com.np).
However, instead of a login prompt, you get this error:
Unable to negotiate with 192.168.156.101 port 2222: no matching host key type found. Their offer: ssh-dss
What Does This Error Mean?
This error indicates a mismatch in the security algorithms used by your updated laptop and your older server. Here's the breakdown:
- Host Key Algorithms: SSH uses "host key algorithms" to verify the identity of the server you're connecting to. These algorithms ensure you're not connecting to a malicious imposter.
- ssh-dss: The error message says "Their offer: ssh-dss." This means your server is offering to use the
ssh-dssalgorithm, also known as DSA (Digital Signature Algorithm). - No Matching Host Key Type Found: Your updated laptop's SSH client, for security reasons, likely has disabled or removed support for the
ssh-dssalgorithm. DSA is now considered outdated and less secure. - 192.168.156.101: This is the local IP address of the server.
The Solution: Explicitly Allow ssh-dss (Temporarily)
To connect to your server, you need to tell your laptop's SSH client to allow the ssh-dss algorithm. This is done with the -oHostKeyAlgorithms=+ssh-dss option.
Step-by-Step Instructions:
-
Open Your Terminal: On your laptop, open a terminal or command prompt.
-
Run the Modified SSH Command: Type the following command and press Enter:
Bashssh -oHostKeyAlgorithms=+ssh-dss -p 2222 jay@jpudasaini.com.np-oHostKeyAlgorithms=+ssh-dss: This option tells SSH to add thessh-dssalgorithm to the list of allowed host key algorithms.- The other parameters are the same as before.
-
Host Key Verification: You'll see a warning message like this:
The authenticity of host '[jpudasaini.com.np]:2222 ([192.168.156.101]:2222)' can't be established. DSA key fingerprint is SHA256:J#$/zFpzr05gdfrshufHHOQvss6NQcEpPMgKlibTc. Are you sure you want to continue connecting (yes/no)?- This message is a security measure. It's asking you to verify the server's identity.
- If this is your server, type
yesand press Enter.
-
Add to Known Hosts: You'll see this message:
Warning: Permanently added '[jpudasaini.com.np]:2222,[192.168.156.101]:2222' (DSA) to the list of known hosts.- This means your laptop has added the server's host key to a list of trusted hosts.
-
Enter Your Password: You'll be prompted for your password:
Password:- Type your password and press Enter.
-
Successful Login: If your password is correct, you'll be logged in to your server.
Important Considerations:
- Security Risk: Enabling
ssh-dssis a temporary workaround. DSA is considered less secure. - Update Your Server: The best long-term solution is to update your server's SSH configuration to use stronger algorithms, such as
rsa-sha2-512,ecdsa-sha2-nistp256, ored25519. - Known Hosts File: The
known_hostsfile stores the host keys of servers you've connected to. It's located in your home directory (~/.ssh/known_hosts).
How to update your server to use better algorithms:
- Login to the server: Use the above solution to login to the server.
- Edit the sshd_config file: Use a text editor like nano or vim to edit the
/etc/ssh/sshd_configfile.Bashsudo nano /etc/ssh/sshd_config - Find the HostKeyAlgorithm line: add or edit the line to contain the better algorithms.
HostKeyAlgorithms rsa-sha2-512,ecdsa-sha2-nistp256,ed25519 - Restart ssh service:
Bash
sudo systemctl restart sshd
By following these steps, you can resolve the SSH connection issue and regain access to your server. Remember to prioritize updating your server's SSH configuration for long-term security.
