Sometimes you have some kit that is just old and isn’t supporting the recent (and secure) key algorithms. If you connect from a client without the correct set of ciphers available, so the client and the server can come to some agreement on a mutually supported cipher set, you’ll see an error such as:
Unable to negotiate with 192.168.52.50 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dssIf you need to connect (with some consideration of the security implications) you can use something like the below.
The “-v” means verbose, you can see when connecting what the end point is offering, then you can adjust as needed to tweak to the correct ciphers for your situation. Here’s an example:
ssh -v username@server1.domain.com -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbcYou can also do the same sort of thing for SCP as well, for example:
scp -o HostKeyAlgorithms=ssh-rsa,ssh-dss myfile myusername@server.domain.com:
If you need to ssh to older switches with a much newer version of ssh then you’ll need to add something like:
Host *
KexAlgorithms +diffie-hellman-group1-sha1
HostkeyAlgorithms +ssh-dss,ssh-rsa
PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa
Ciphers +aes256-cbc,3des-cbc
To your ~/.ssh/config