https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38365#M8261 Hi Ihuso,<BR /> <BR /> ExtremeXOS 16.1 and earlier versions generated DSA-2048 keys using ssh-keygen provided by a theSSH-Toolkit library. Starting with ExtremeXOS 21.1, ExtremeXOS generates more secure RSA-2048 keys.<BR /> <BR /> As you said, In OpenSSH 7.0 disables ssh-DSS keys by default, they are using RSA for negotiating and it will not support in EXOS 16.1 and earlier is that we are getting the following error message.<BR /> <BR /> Unable to negotiate with x.x.x.x port 22: no matching<BR /> host key type found. Their offer: ssh-DSS<BR /> <BR /> Thu, 22 Dec 2016 20:05:00 GMT Baskar 2016-12-22T20:05:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38364#M8260 We use Linux clients with ssh2 and they all have OpenSSH 7.0 or newer. When connecting to our EXOS switches we get this error:<BR /> <BR /> Unable to negotiate with x.x.x.x port 22: no matching<BR /> host key type found. Their offer: ssh-dss<BR /> <BR /> The switches use XOS 16.1.x and I have also tested with 16.2. Same result!<BR /> <BR /> OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It is week and not recommended. <BR /> Because of this we need to disable ssh-dss on the switches but is it possible? I know that more ssh2 variables can be changed and configured in XOS 21.1 and when using 21.1 we don't get the error about ssh-dss. Great, but I have very few G2 switches so I have to stick with 16.x for a long time.<BR /> <BR /> Ssh2 Secure mode have also been tested but it didn't solve the problem with ssh-dss.<BR /> <BR /> Have anybody else any experience with this on XOS 16.2 or lower versions?<BR /> Thu, 22 Dec 2016 18:13:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38364#M8260 lhuso 2016-12-22T18:13:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38365#M8261 Hi Ihuso,<BR /> <BR /> ExtremeXOS 16.1 and earlier versions generated DSA-2048 keys using ssh-keygen provided by a theSSH-Toolkit library. Starting with ExtremeXOS 21.1, ExtremeXOS generates more secure RSA-2048 keys.<BR /> <BR /> As you said, In OpenSSH 7.0 disables ssh-DSS keys by default, they are using RSA for negotiating and it will not support in EXOS 16.1 and earlier is that we are getting the following error message.<BR /> <BR /> Unable to negotiate with x.x.x.x port 22: no matching<BR /> host key type found. Their offer: ssh-DSS<BR /> <BR /> Thu, 22 Dec 2016 20:05:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38365#M8261 Baskar 2016-12-22T20:05:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38366#M8262 Thanks for your reply. <BR /> <BR /> So the final question is: What about 16.2? Thu, 22 Dec 2016 20:56:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38366#M8262 lhuso 2016-12-22T20:56:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38367#M8263 As I said ExtremeXOS 16.1 and earlier versions using DSA, the later versions like 16.2 and 21.1 ExtremXOS generates more secure using RSA keys.<BR /> <BR /> thank you <BR /> <BR /> Thu, 22 Dec 2016 21:12:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38367#M8263 Baskar 2016-12-22T21:12:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38368#M8264 But we get the same error in 16.2 even if we use Secure mode!<BR /> <BR /> Thu, 22 Dec 2016 21:17:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38368#M8264 lhuso 2016-12-22T21:17:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38369#M8265 I Belive configuring ssh will help us to resolve the issue (configure ssh2 key), because 16.2 has backward compatibility to DSA.<BR /> please let me know above one helped to resolve the issue.<BR /> <BR /> Fri, 23 Dec 2016 14:07:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38369#M8265 Baskar 2016-12-23T14:07:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38370#M8266 Hello lhuso,<BR /> <BR /> Put next lines into your client's ssh config file "~/.ssh/config" <BR /> <BR /> Host <I> <BR /> HostKeyAlgorithms +ssh-dss <BR /> KexAlgorithms +diffie-hellman-group1-sha1 <BR /> <BR /> Best Regards,<BR /> Nikolay</I> Fri, 23 Dec 2016 17:42:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/unable-to-negotiate-ssh2-key-algorithm/m-p/38370#M8266 Necheporenko__N 2016-12-23T17:42:00Z