{"id":4264,"date":"2024-09-29T10:18:23","date_gmt":"2024-09-29T10:18:23","guid":{"rendered":"https:\/\/geekmungus.co.uk\/?p=4264"},"modified":"2026-02-09T11:29:50","modified_gmt":"2026-02-09T11:29:50","slug":"ssh-legacy-key-algorithms","status":"publish","type":"post","link":"https:\/\/geekmungus.co.uk\/?p=4264","title":{"rendered":"SSH Legacy Key Algorithms"},"content":{"rendered":"\n

Sometimes you have some kit that is just old and isn’t supporting the recent (and secure) key algorithms. If you connect from a client without the correct set of ciphers available, so the client and the server can come to some agreement on a mutually supported cipher set, you’ll see an error such as:<\/p>\n\n\n\n

Unable to negotiate with 192.168.52.50 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss<\/code><\/pre>\n\n\n\n
If you need to connect (with some consideration of the security implications) you can use something like the below.<\/p>\n\n\n\n
The “-v” means verbose, you can see when connecting what the end point is offering, then you can adjust as needed to tweak to the correct ciphers for your situation. Here’s an example:<\/p>\n\n\n\n
ssh -v username@server1.domain.com -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc<\/code><\/pre>\n\n\n\n
You can also do the same sort of thing for SCP as well, for example:<\/p>\n\n\n\n
scp -o HostKeyAlgorithms=ssh-rsa,ssh-dss myfile myusername@server.domain.com:<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Sometimes you have some kit that is just old and isn’t supporting the recent (and secure) key algorithms. If you connect from a client without the correct set of ciphers available, so the client and the server can come to some agreement on a mutually supported cipher set, you’ll see an error such as: If … Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,20,22],"tags":[],"class_list":["post-4264","post","type-post","status-publish","format-standard","hentry","category-linux","category-random","category-security"],"_links":{"self":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/4264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4264"}],"version-history":[{"count":3,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/4264\/revisions"}],"predecessor-version":[{"id":4891,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/4264\/revisions\/4891"}],"wp:attachment":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}