If you are attempting to ssh to a server and receive an error like below, it means the server side ssh daemon only supports a cryptographically weaker algorithm.
Unable to negotiate with 192.168.2.1 port 22: no matching host key type found. Their offer: ssh-rsa
If you still wish to connect, you can either provide this option at the CLI.
ssh -oHostKeyAlgorithms=+ssh-rsa myuser@192.168.2.1
Or you can add these options to your ~/.ssh/config
cat<<EOF >> ~/.ssh/config Host 192.168.2.1 HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa EOF
Similarly, there are flags for other cryptographic algorithms that might need to be accepted:
- -oHostKeyAlgorithms=+diffie-hellman-group1-sha1
- -oHostKeyAlgorithms=+aes256-cbc
- -oHostKeyAlgorithms=+ssh-dss
KexAlgorithms
If your ssh client initiation abruptly ends, enable verbosity (-v). If you see a message similar to “expecting SSH2_MSG_KEX_ECDH_REPLY“, then you need to add a ‘KexAlgorithms’ option (key exchange algorithms).
ssh -v myuser@192.168.2.1 ... debug1: expecting SSH2_MSG_KEX_ECDH_REPLY ... # can be resolved by adding KEX ssh -oKexAlgorithms=+ecdh-sha2-nistp521 myuser@192.168.2.1
REFERENCES
openwrt forums, problem with ssh HostKeyAlgorithms
askubuntu.com, problem with ssh HostKeyAlgorithms
stackoverflow,com, ways to handle ssh HostKeyAlgorithms with ssh config
infosecmatter.com, shows ssh option flags for other algorithms