Unable to negotiate ssh2 key algorithm

We use Linux clients with ssh2 and they all have OpenSSH 7.0 or newer. When connecting to our EXOS switches we get this error:

Unable to negotiate with x.x.x.x port 22: no matching
host key type found. Their offer: ssh-dss

The switches use XOS 16.1.x and I have also tested with 16.2. Same result!

OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It is week and not recommended.
Because of this we need to disable ssh-dss on the switches but is it possible? I know that more ssh2 variables can be changed and configured in XOS 21.1 and when using 21.1 we don't get the error about ssh-dss. Great, but I have very few G2 switches so I have to stick with 16.x for a long time.

Ssh2 Secure mode have also been tested but it didn't solve the problem with ssh-dss.

Have anybody else any experience with this on XOS 16.2 or lower versions?

6 replies

Userlevel 2
Hi Ihuso,

ExtremeXOS 16.1 and earlier versions generated DSA-2048 keys using ssh-keygen provided by a theSSH-Toolkit library. Starting with ExtremeXOS 21.1, ExtremeXOS generates more secure RSA-2048 keys.

As you said, In OpenSSH 7.0 disables ssh-DSS keys by default, they are using RSA for negotiating and it will not support in EXOS 16.1 and earlier is that we are getting the following error message.

Unable to negotiate with x.x.x.x port 22: no matching
host key type found. Their offer: ssh-DSS
Thanks for your reply.

So the final question is: What about 16.2?
Userlevel 2
As I said ExtremeXOS 16.1 and earlier versions using DSA, the later versions like 16.2 and 21.1 ExtremXOS generates more secure using RSA keys.

thank you
But we get the same error in 16.2 even if we use Secure mode!
Userlevel 2
I Belive configuring ssh will help us to resolve the issue (configure ssh2 key), because 16.2 has backward compatibility to DSA.
please let me know above one helped to resolve the issue.
Userlevel 4
Hello lhuso,

Put next lines into your client's ssh config file "~/.ssh/config"

Host [i]
HostKeyAlgorithms +ssh-dss
KexAlgorithms +diffie-hellman-group1-sha1

Best Regards,