45

I have an issue while trying to use the SSH command on my Kali Linux system (version 16.0-kali6-amd64, 2022-03-23). I'm attempting to authenticate using an OpenSSH private key.

I started by using the following command:

ssh -i id_rsa root@<ip>

However, this resulted in the following error:

Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-rsa, ssh-dss

After some research, I tried the following command to address the issue:

ssh -oHostKeyAlgorithms=+ssh-dss -i id_rsa root@<ip>

But with this command, it prompted me for a password even though I intended to use the id_rsa key for authentication.

In the verbose output, I noticed the following messages:

  • "No such directory for 'load_hostkeys'"
  • "DSA host key found"
  • "Get agent_identities: agent contains no identities, will attempt some key (explicitly)"
  • "send_pubkey_test: no mutual signature algorithm"

The authentication process then attempted to use a password and provided a prompt.

I need assistance with using my OpenSSH private key for SSH authentication.

Improve this question
6
  • 5
    OpenSSH since 7.0 doesn't accept hostkey ssh-dss and you must add it, similarly since 8.8 it doesn't use client ssh-rsa and you must add that with -oPubkeyAcceptedAlgorithms=+ssh-rsa. (It will still use client RSA key with the newer rsa-sha2 algorithms, but your server is obviously old and doesn't support those.) See unix.stackexchange.com/questions/410468/… and cross serverfault.com/questions/1092998/… .
    – dave_thompson_085
    CommentedApr 16, 2022 at 1:45
  • What's running on the server side? It's clearly out of date and doesn't support any modern algorithms.
    – bk2204
    CommentedApr 16, 2022 at 11:47
  • @dave_thompson_085, Thanks for the great answer, I think this should help.
    – Substantial-Code0
    CommentedApr 17, 2022 at 3:26
  • @bk2204, yes the server side ssh is older than what I have in machine.
    – Substantial-Code0
    CommentedApr 17, 2022 at 3:26
  • @dave_thompson_085, Thank you, this solved the problem.
    – Substantial-Code0
    CommentedApr 17, 2022 at 12:07

5 Answers 5

Reset to default
64

As mentioned by @dave_thompson, you can use additional argument when using ssh:

ssh -v -oHostKeyAlgorithms=+ssh-rsa username@ipaddress

or another alternative, if you often access server via ssh, you can create a file named config in folder .ssh, and then add this key inside config file:

Host [ipaddress] HostKeyAlgorithms=+ssh-rsa

This config file has same result as first way.

Improve this answer
4
  • 2
    That inline flag also works with SFTP over SSH: sudo sftp -oHostKeyAlgorithms=+ssh-rsa username@ipaddress ... I mention this because not much on Google results in regard to SFTP solutions for outdated remote servers.
    – Jesse Nickles
    CommentedFeb 12, 2023 at 16:23
  • in other words, the first line should read something like Host 192.168.1.1 👍
    – Sean McCarthy
    CommentedJun 27, 2023 at 22:59
  • 2
    In addition to HostKeyAlgorithms=+ssh-rsa, I had to add PubkeyAcceptedAlgorithms=+ssh-rsa to the config. I am on macOS 13.5 connecting to my home router.
    – Gurjeet Singh
    CommentedJul 29, 2023 at 18:19
  • I had to add the PubkeyAcceptedAlgorithms, and I had to do it for the DNS name of the server (not the IP!).
    – fraber
    CommentedDec 25, 2024 at 21:08
4

For Fedora release 38 (Thirty Eight):

Add one of code blocks to ~/.ssh/config:

Host ip.ip.ip.ip HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa 
Host ip.ip.ip.ip HostKeyAlgorithms=+ssh-rsa PubkeyAcceptedAlgorithms=+ssh-rsa

All works.

Improve this answer
2
  • 1
    This works for Fedora 39 too in Feb 2024
    – aafirvida
    CommentedFeb 6, 2024 at 2:55
  • I ended up with this command ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa [email protected]
    – Serhii Popov
    CommentedJul 3, 2024 at 8:44
1

I had to create ~/.ssh/config and add these lines to it.

Host 123.123.123.123 KexAlgorithms=+diffie-hellman-group-exchange-sha1 Host 123.123.123.123 HostKeyAlgorithms=+ssh-rsa
Improve this answer
1
1

Just to specify the most concise way of adding more than one cipher in ~/.ssh/config:

Host oldserver # solve the "host key" error on ancient server HostKeyAlgorithms=+ssh-rsa,ssh-dss # use key and eliminate password prompt on ancient server PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss
Improve this answer
    0

    I was having problems connecting ubuntu with protostar vmbox. Accomplished it running this commad:

    ssh -v -oHostKeyAlgorithms=+ssh-rsa -p 2222 [email protected]

    With this network config in the vmbox:
    Name: SSH
    Protocol: TCP
    Host IP: 127.0.0.1
    Host Port: 2222
    Guest IP: 10.0.2.15
    Guest Port: 22

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.