no matching host key type found

Issues related to applications and software problems
Post Reply
el_lascar@bluewin.ch
Posts: 3
Joined: 2021/11/22 14:20:57

no matching host key type found

Post by el_lascar@bluewin.ch » 2021/11/22 16:50:11

Hello everyone,

I have the problem mentionned on:
Centos 7.4
OpenSSH_7.4p1

Following this tutorial: https://www.infosecmatter.com/solution- ... te-errors/

I added the missing keys but sometime, following an sftp connexion on the server, I have again these two errors:

Code: Select all

Nov 22 17:08:08 xxx sshd[2028]: Unable to negotiate with xx.xx.xx.xx port 45975: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth]
Nov 22 17:08:23 xxx sshd[2045]: Unable to negotiate with xx.xx.xx.xx port 2068: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth]
These two key are in my file

below, my /etc/ssh_config, I added the key at the end of my config file:

Code: Select all

Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org,gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
I verified my file several times but I cannot find where is the error...

Is there a problem/mismatch in my config file ?
Is this my openssh obsolete ?
Do I have to upgrade ssh ?

By advance thanks for your help !

Jean

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: no matching host key type found

Post by tunk » 2021/11/22 17:32:41

Don't know what your problem is, but 7.4 is a few years out of
date with many security problems. Run yum update to get 7.9.

el_lascar@bluewin.ch
Posts: 3
Joined: 2021/11/22 14:20:57

Re: no matching host key type found

Post by el_lascar@bluewin.ch » 2021/11/23 14:07:46

ok,

thanks for your reply.
I found several sources that tell this is not easy to do an major upgrade off openssh:

viewtopic.php?f=48&t=76252

at the very end of this post it is mentioned that it can be risky to update openssh to a major version:
probably someone told him there is a newer version out, and both don't understand what CentOS is about (keeping the same version for the duration of the support life span).
you can't upgrade openssh, it would require a recompile of most of the operating system core...
higher in the same post, it is proposed to apply the last fix:
Why do you want to update? Please see the output from rpm -q --changelog openssh to see what fixes have been applied on top of the 7.4 base.
I think I will start with this but I have no idea if this will fix my problem as my current system seems to have detected that it supports the following keys: sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com

However, after adding them to my configuration, the following errors messages keep appearing in the log:

Code: Select all

Nov 22 17:08:08 xxx sshd[2028]: Unable to negotiate with xx.xx.xx.xx port 45975: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth]
Nov 22 17:08:23 xxx sshd[2045]: Unable to negotiate with xx.xx.xx.xx port 2068: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth]
I don't know If I made a mistake in my configuration, that is the question...

Do I have to add: sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com
Or only ssh-ed25519 AND ecdsa-sha-nistp256 in my config file ?

maybe a stupid question of syntax...


thanks again for your suggestions and best regards ! :-)

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: no matching host key type found

Post by TrevorH » 2021/11/23 16:27:32

We're not suggesting you do an upgrade of openssh. What is being pointed out is that CentOS 7.4 is ancient (2017) and out of date and you have not updated it in more than 4 years. You are missing numerous high severity patches that have come out in the 4 point releases of CentOS 7 that have come out since yours. You need to yum update your system to the currently available 7.9.2009 plus the various patches that have been released since it came out.

You should not be leaving systems unpatched for 4 years at a time. Patches come out all the time and you should be checking at least weekly to see if anything needs attention.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply