SSH to CentOS 6 Server – Error “No Matching Host Key Type Found”
I just wanted to share a fix for the annoying SSH error you get on older versions of Linux. I got this error when connecting to a Centos 6.9 x64 vanilla installation.
Step 1 – Validate the Error
When you attempt to SSH to the server you will get this error:
ssh [email protected]
Unable to negotiate with 69.28.67.189 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
# Note: This IP address no longer exists
This error means there’s a mismatch in the cryptographic keys the SSH client (OpenSSH) is willing to use and the keys the server (CentOS 6.9) is offering.
- Host Keys:
Connecting to a server via SSH presents a unique “host key.” My local laptop stores this key and verifies it on subsequent connections to ensure you’re talking to the same server (and not a malicious imposter—man-in-the-middle attack). - Algorithms:
There are different cryptographic algorithms for generating host keys. Older versions of SSH (like the one used in the CentOS 6.9 server) offer outdated or less secure algorithms, likessh-rsa
andssh-dss
. Newer clients prioritize stronger algorithms and may refuse connections if only weaker options are available.
Step 2 – How to Fix Error
This command temporarily overrides your client’s default behavior:
ssh -oHostKeyAlgorithms=+ssh-dss [email protected]
#Example Output
#The authenticity of host '69.28.67.189 (69.28.67.189)' can't be established.
#DSA key fingerprint is SHA256:TBH5kXiO1PwljvFLAduE1+ddrCRjtxESeRo8O2K+FCs.
#This key is not known by any other names
#Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
#Warning: Permanently added '69.28.67.189' (DSA) to the list of known hosts.
[email protected]'s password:
[root@CentosEOLDEMO ~]#
-oHostKeyAlgorithms=+ssh-dss: Tells your SSH client to explicitly include ssh-dss in the list of acceptable host key algorithms. This lets it successfully negotiate with the older CentOS server.
Step 3 – Need a permanent Fix?
If you need this fix to be permanent, you can update your ssh config files to always allow ssh-dss. While not always the best security practice, some users may have no other choice but to so this.
Client-Side Configuration (Less Secure):
You can modify your SSH client configuration (~/.ssh/config
) to permanently accept ssh-dss
. This is the simplest solution, but it’s important to be aware that it lowers your security slightly.
- Edit Config: Open your SSH config file (
~/.ssh/config
) in a text editor. If it doesn’t exist, create it. - Add Lines: Add the following lines to the file:
Host 69.28.67.189 # Replace with your server's IP or hostname
HostKeyAlgorithms +ssh-dss
- Save: Save the file and exit. Now, your client will always use
ssh-dss
when connecting to that specific server.
Server-Side Configuration (Recommended):
This involves updating the SSH configuration on your CentOS 6.9 server.
- SSH Configuration: Edit the SSH daemon configuration file, usually located at
/etc/ssh/sshd_config
. - HostKey Line: Look for a line starting with
HostKey
. Comment out any lines usingssh-dss
orssh-rsa
and add a line for a more secure algorithm, like:
HostKey /etc/ssh/ssh_host_ecdsa_key # ECDSA key
# Or
HostKey /etc/ssh/ssh_host_ed25519_key # Ed25519 key
- Generate Keys: If the specified keys don’t exist, generate them with these commands:
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
# Or
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
- Restart SSHD: Restart the SSH daemon to apply the changes:
service sshd restart
3. Upgrading CentOS (Best Long-Term Solution):
If possible, upgrading your CentOS server to a newer version (CentOS 7 or 8) is the best long-term solution. This would provide:
- Security:
Newer OpenSSH versions with stronger default algorithms. - Maintenance:
Continued updates and support for your operating system.
Why It Happens
This issue arises due to a combination of factors:
- Older Server:
CentOS 6.9 is an older distribution, and its SSH configuration has outdated defaults. - Security Updates:
Your SSH client (and modern OpenSSH in general) has been updated over time to prioritize stronger security. It may disable or deprecate older algorithms, likessh-rsa
andssh-dss
due to potential vulnerabilities.
Important Considerations:
- Temporary Solution:
The command you used is a workaround. It’s not ideal for long-term use becausessh-dss
is considered less secure. - Upgrading:
If possible, consider upgrading your CentOS server to a newer version. This would likely allow it to use more modern and secure host key algorithms. - Alternative:
If upgrading isn’t an option, you can configure your client to accept permanently ssh-dss. However, do so with caution, as it might weaken the security of your SSH connections.
2 Responses
[…] If you have any issues SSH’ing to your server, follow this procedure. […]
[…] Important: If you are unable to SSH to an RHEL6 or CENTOS6 server follow this procedure. […]