Extreme Networks

lhuso · ‎12-22-2016

We use Linux clients with ssh2 and they all have OpenSSH 7.0 or newer. When connecting to our EXOS switches we get this error:

Unable to negotiate with x.x.x.x port 22: no matching
host key type found. Their offer: ssh-dss

The switches use XOS 16.1.x and I have also tested with 16.2. Same result!

OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It is week and not recommended.
Because of this we need to disable ssh-dss on the switches but is it possible? I know that more ssh2 variables can be changed and configured in XOS 21.1 and when using 21.1 we don't get the error about ssh-dss. Great, but I have very few G2 switches so I have to stick with 16.x for a long time.

Ssh2 Secure mode have also been tested but it didn't solve the problem with ssh-dss.

Have anybody else any experience with this on XOS 16.2 or lower versions?

lhuso · ‎12-22-2016

Thanks for your reply.

So the final question is: What about 16.2?

Baskar · ‎12-22-2016

Hi Ihuso,

ExtremeXOS 16.1 and earlier versions generated DSA-2048 keys using ssh-keygen provided by a theSSH-Toolkit library. Starting with ExtremeXOS 21.1, ExtremeXOS generates more secure RSA-2048 keys.

As you said, In OpenSSH 7.0 disables ssh-DSS keys by default, they are using RSA for negotiating and it will not support in EXOS 16.1 and earlier is that we are getting the following error message.

Unable to negotiate with x.x.x.x port 22: no matching
host key type found. Their offer: ssh-DSS

Extreme Networks

Unable to negotiate ssh2 key algorithm

Unable to negotiate ssh2 key algorithm