Unable to negotiate ssh2 key algorithm

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
We use Linux clients with ssh2 and they all have OpenSSH 7.0 or newer. When connecting to our EXOS switches we get this error:

Unable to negotiate with x.x.x.x port 22: no matching
host key type found. Their offer: ssh-dss

The switches use XOS 16.1.x and I have also tested with 16.2. Same result!

OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It is week and not recommended. 
Because of this we need to disable ssh-dss on the switches but is it possible? I know that more ssh2 variables can be changed and configured in XOS 21.1 and when using 21.1 we don't get the error about ssh-dss. Great, but I have very few G2 switches so I have to stick with 16.x for a long time.

Ssh2 Secure mode have also been tested but it didn't solve the problem with ssh-dss.

Have anybody else any experience with this on XOS 16.2 or lower versions?
Photo of lhuso

lhuso

  • 354 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Baskar

Baskar, Employee

  • 518 Points 500 badge 2x thumb
Hi Ihuso,

ExtremeXOS 16.1 and earlier versions generated DSA-2048 keys using ssh-keygen provided by a theSSH-Toolkit library. Starting with ExtremeXOS 21.1, ExtremeXOS generates more secure RSA-2048 keys.

As you said, In  OpenSSH 7.0 disables ssh-DSS keys by default, they are using RSA  for negotiating and it will not support in EXOS 16.1 and earlier is that we are getting the following error message.

Unable to negotiate with x.x.x.x port 22: no matching
host key type found. Their offer: ssh-DSS
Photo of lhuso

lhuso

  • 354 Points 250 badge 2x thumb
Thanks for your reply. 

So the final question is: What about 16.2?
Photo of Baskar

Baskar, Employee

  • 518 Points 500 badge 2x thumb
As I said ExtremeXOS 16.1 and earlier versions using DSA, the later versions like 16.2 and 21.1 ExtremXOS generates more secure using RSA keys.

thank you 
Photo of lhuso

lhuso

  • 354 Points 250 badge 2x thumb
But we get the same error in 16.2 even if we use Secure mode!
Photo of Baskar

Baskar, Employee

  • 518 Points 500 badge 2x thumb
I Belive configuring  ssh will help us to resolve the issue (configure ssh2 key), because 16.2 has backward compatibility to DSA.
please let me know above one helped to resolve the issue.
Photo of Necheporenko, Nikolay

Necheporenko, Nikolay, Employee

  • 1,370 Points 1k badge 2x thumb
Hello lhuso,

Put next lines into your client's ssh config file "~/.ssh/config" 

Host <ip_address> 
HostKeyAlgorithms +ssh-dss 
KexAlgorithms +diffie-hellman-group1-sha1 

Best Regards,
Nikolay