Git error no matching host key type found. Their offer: ssh-rsa

Question

I get the following error when using git:

$ git pull
Unable to negotiate with 172.16.42.42 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

How can I resolve this error?

Also discussed in https://public-inbox.org/git/CAHo1AWxzPsnLuT8JRWovtaRrGvRS8+0NyucU5K8VEnaL1xxW3Q@mail.gmail.com/T/#u — VonC, Jan 10 '22 at 23:56

score 383 · Accepted Answer · answered Nov 07 '21 at 19:21

383

With SSH, there are several different types of keys and RSA keys (the ssh-rsa) kind can support multiple kinds of signatures. The signature type ssh-rsa refers to RSA with SHA-1, whereas the signature type rsa-sha2-256 is RSA with SHA-256 and rsa-sha2-512 is RSA with SHA-512.

In the case of Azure DevOps, it only supports the kind of RSA with SHA-1, and SHA-1 is considered very weak. This essentially means that there are no secure ways to connect to it over SSH, and until they fix that, you're better off using HTTPS or a different hosting service. GitHub, GitLab, and Bitbucket all support secure methods of authentication.

If you really need to use SSH with Azure DevOps at the moment, you can add an entry to your ~/.ssh/config file to work around this:

Host ssh.dev.azure.com
    User git
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

However, be aware that this is a workaround and it's known to be insecure, so you should contact Azure DevOps about this problem and switch to HTTPS until they do, or move elsewhere.

answered Nov 07 '21 at 19:21

bk2204

64,793
6
84
100

And it maybe worth checking every season or two and removing if the host is ever updated to support better cyphers. – Tomachi Jan 10 '22 at 10:50
4

I got this issue after Cygwin's git updated 2.32 => 2.34, this answer fixed it, thank you! – okharch Jan 11 '22 at 06:04
This helped a colleague with a very recent Git installation, connecting to Azure DevOps Server 2020u1. Others on the team do not need it yet, so this is likely something new in Git. DevOps docs already have [a FAQ about this issue](https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#q-what-do-i-do-if-im-still-prompted-for-my-password-and-git_ssh_commandssh--v-git-fetch-shows-no-mutual-signature-algorithm). – Palec Jan 17 '22 at 21:02
2

Unfortunately putting this option to `~/.ssh/config` might break other software relying on older OpenSSH. I ended up using a deprecated name `PubkeyAcceptedKeyTypes` instead of `PubkeyAcceptedAlgorithms` (as mentioned [here](https://github.com/git-for-windows/git/issues/3468#issuecomment-965152050)). – Nickolay Feb 12 '22 at 13:53
The value in "Host" must be compatible with the domain in use eg: "some-client@vs-ssh.visualstudio.com:v3/some-client/some-path/some-repo" . In this example the value in "Host" ("~/.ssh/config") should be "vs-ssh.visualstudio.com". – Eduardo Lucio Jun 08 '22 at 23:07
1

This fixed the same issue I had with a self-hosted bitbucket server that had not been updated in a while. They list the [same solution on their forum](https://community.atlassian.com/t5/Bitbucket-questions/OpenSSH-8-7-and-ssh-rsa-host-key/qaq-p/1799373). – mulllhausen Jun 20 '22 at 01:43
Works as described with Azure DevOps. Thank you! – igor Sep 19 '22 at 16:36
fixed me up after upgrading in-place to ubuntu 22.04. well done. – Jesse MacNett Oct 28 '22 at 14:14

score 99 · Answer 2 · answered Dec 21 '21 at 11:10

OpenSSH will report the error no matching host key type found. Their offer: ssh-rsa if the server it's connecting to is offering to authenticate over ssh-rsa ( RSA/SHA1).

Azure Devops (TFS) is offering to authenticate over ssh-rsa. As noted in the answer by bk2204, this algorithm is not considered cryptographically secure.

Since it's considered weak, OpenSSH deprecated using SHA-1 in 8.2 in 2020-02-14.

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.

Azure Devops Services subsequently announced a patch to allow SHA-2

On may 5 2021, the Azure DevOps documentation was updated to mention using RSA 3072.

Q: Is this true?

¯\_(ツ)_/¯

Q: Which algorithms are supported?

Doesn't say anywhere. Probably only ssh-rsa.

Q: How do I use a cryptographically unsafe algorithm

Add this

  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

To your ~/.ssh/config

Host your-azure-devops-domain
  IdentityFile ~/.ssh/id_rsa
  IdentitiesOnly yes
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

Q: Is Microsoft aware that this is a problem?

Yes they are.

Q: Do they care?

No it's a feature

Thanks! This did the trick for me after updating to Ubuntu 22.04. — abaga129, Jul 05 '22 at 17:33
As of 2022-08-01, ssh-rsa is still what is used by Azure DevOps _Services_, so their claim of patching it in 2020 is false. — Sharparam, Aug 01 '22 at 13:24

Jaroslav Bezděk · Answer 3 · 2021-11-12T12:44:26.503

61

According to this post, you can add ssh.dev.azure.com host config to your ~/.ssh/config file:

Final ~/.ssh/config that worked for me:

Host ssh.dev.azure.com
    HostName ssh.dev.azure.com
    User git
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

edited Nov 12 '21 at 12:44

answered Nov 07 '21 at 18:45

Jaroslav Bezděk

6,967
6
29
46

4

`IdentitiesOnly yes PubkeyAcceptedAlgorithms +ssh-rsa HostkeyAlgorithms +ssh-rsa` Faced same issue after CodeCommit setup, pasting above 3 lines successfully authenticated git over SSH, Thanks! – Kunal Awasthi Dec 02 '21 at 09:14
but I'm still stuck. It was all working and suddenly stopped connecting codecommit.. – Ameer Ul Islam May 13 '22 at 17:05
3

This also works for HostNames like `vs-ssh.visualstudio.com` – elulcao May 31 '22 at 16:19

张馆长 · Answer 4 · 2023-02-03T02:57:32.813

48

scp or ssh could used this

ssh -p 22 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa  user@myhost
# or scp
scp -P 22 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa  user@myhost

edited Feb 03 '23 at 02:57

answered May 24 '22 at 11:00

张馆长

1,321
10
11

ssh-keygen -f "/home/qmm0/.ssh/known_hosts" -R "[10.0.0.28]:2222";ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa 10.0.0.28 -p 2222 – CS QGB Jul 10 '22 at 14:50
SFTP: `sftp -P 22 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa user@myhost` – Jesse Nickles Feb 12 '23 at 16:46
thank you for this! this also works on mac ventura 13.4 – woninana Jun 29 '23 at 18:07

score 19 · Answer 5 · answered Aug 01 '22 at 13:53

For those using Azure DevOps, you should use the following ~/.ssh/config, as Azure has a thing with varying what url it returns in its Clone Repository:

Host ssh.dev.azure.com
  PubkeyAcceptedAlgorithms +ssh-rsa
  HostkeyAlgorithms +ssh-rsa

Host vs-ssh.visualstudio.com
  PubkeyAcceptedAlgorithms +ssh-rsa
  HostkeyAlgorithms +ssh-rsa

score 12 · Answer 6 · edited Aug 08 '22 at 11:00

12

In your ~/.ssh/config file, add these lines.

Host *.drush.in
    HostkeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa

edited Aug 08 '22 at 11:00

Jaroslav Bezděk

6,967
6
29
46

answered Aug 08 '22 at 10:33

Abhilash Sharma

121
1
4

score 10 · Answer 7 · answered May 09 '22 at 06:24

10

I also got this problem, this worked for me:

cd ~/.ssh/
vim config

Host [Hostname]
User [User]
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

I got this problem for a few hostnames so now i have several of those configurations in my ssh config file.

answered May 09 '22 at 06:24

Leonardo Repolust

143
1
10

and identity file? – Ameer Ul Islam May 13 '22 at 17:54

score 5 · Answer 8 · edited May 19 '23 at 06:25

5

There are 2 steps:

Add config file (without extension) to your ~/.ssh/ directory.

Add below content to the config file:

HostkeyAlgorithms +ssh-rsa    
PubkeyAcceptedAlgorithms +ssh-rsa

edited May 19 '23 at 06:25

Jaroslav Bezděk

6,967
6
29
46

answered May 08 '23 at 13:42

Özgür Öztürk

395
6
14

makefu · Answer 9 · 2022-02-02T18:13:41.923

With NixOS 21.11 openSSH got updated to 8.8p1 ( see Changelog ). OpenSSH deprecated ssh-rsa along with a couple of other insecure ciphers.

If i understood correctly, you are only using nix as package manager and not NixOS. If that is the case you can follow the guides in the remaining answers (edit ~/.ssh/config).

However, when you are using NixOS to configure your server you can re-enable ssh-rsa for the ssh client, by adding to your configuration.nix:

programs.ssh.extraConfig = ''
  PubkeyAcceptedAlgorithms +ssh-rsa
  HostkeyAlgorithms +ssh-rsa
''

To re-enable the insecure ssh-rsa cipher for your openssh server (e.g. when legacy clients connect to the server), you can simply add the following lines to your configuration.nix:

services.openssh.extraConfig = ''
  PubkeyAcceptedAlgorithms +ssh-rsa
  HostkeyAlgorithms +ssh-rsa
'';

Thanks, that was exactly what I needed. Unfortunately, the services.openssh stanza has two typos (transposed letters). I think it needs to be "PubkeyAcceptedAlgorithms", just like in the programs.ssh stanza. — antifuchs, Jan 06 '22 at 23:45

score 4 · Answer 10 · answered Mar 28 '22 at 15:54

Correction for the posted answer. I had the same issue and I fixed it with the following snippet from above with a tiny fix:

Host YOUR-DOMAIN
Hostname YOUR-DOMAIN
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
HostKeyAlgorithms=+ssh-rsa
PubkeyAcceptedAlgorithms=+ssh-rsa

Dont forget to replace YOUR-DOMAIN with the domain you are using on AzureDevOps.

score 2 · Answer 11 · answered Apr 19 '22 at 16:46

2

The format of the workaround wasn't working for me for windows 10 and git version 2.32.0. This snippet worked for me

Host = Hostname.com
IdentityFile = ~/.ssh/id_rsa
IdentitiesOnly = yes
HostkeyAlgorithms = +ssh-rsa
PubkeyAcceptedAlgorithms = +ssh-rsa

answered Apr 19 '22 at 16:46

Rohit Singh

401
2
6

score 1 · Answer 12 · edited Jun 01 '22 at 06:16

I googled a lot a bout this mistake: I have Ubuntu 22.04 and here all my configuration.
I hope it will help someone.

`linux@linux:~$ cat /home/username/.ssh/config`

Host *

KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512
Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr

User username # it depends on your login; this one only for understanding

PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

And:

`/etc/ssh/sshd_config`

# Ciphers and keying

Ciphers             aes128-cbc,3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512

HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms diffie-hellman-group1-sha1

score 1 · Answer 13 · answered Jul 26 '22 at 14:04

I also faced this issue on my windows machine while setting up the SSH key for bitbucket

Initially, the config file was not created when I generated the public and private key files using the ssh-keygen command, so I used GitBash to create the config file and wrote the below content on it.

To create the file

touch config

To open and update the created file

nano config

Content added to the config file

Host [Hostname]
   HostName [Hostname]
   IdentityFile ~/.ssh/id_rsa
   IdentitiesOnly yes
   PubkeyAcceptedAlgorithms +ssh-rsa
   HostkeyAlgorithms +ssh-rsa

Note: If you are using your organization's bitbucket account, the hostname will be different or else by default it will be bitbucket.org

sonic nit 11 · Answer 14 · 2023-03-03T23:29:24.987

By this way, it worked:

Open terminal: cd ~/.ssh/
Create config file: vim config

Next steps you can use VIM to input the config file or use my way:

Open Finder/ Go to Folder/ type: ~/.ssh
Open the config file by TextEdit or SublimeText
Paste the following code

Host replaceMeByYourGitDomain HostName replaceMeByYourGitDomain User git IdentityFile ~/.ssh/id_rsaenter code here IdentitiesOnly yes PubkeyAcceptedAlgorithms +ssh-rsa HostkeyAlgorithms +ssh-rsa

score 0 · Answer 15 · answered Jul 20 '22 at 16:27

I had this issue and it turned out to be because my computer was referencing the wrong ssh.exe file.

Run the command:

which ssh.exe

If this does not return OpenSSH/ssh.exe then this is likely your issue.

Take the return value and rename the ssh.exe file as ssh.exe.org

Run

which ssh.exe

again and it should now show the OpenSSH/ssh.exe file.

score 0 · Answer 16 · answered Aug 15 '23 at 12:22

0

For macOS, you actually need to edit /etc/ssh/ssh_config instead of .ssh/config. The local config wasn't applied for me.

answered Aug 15 '23 at 12:22

quasi

113
2
5

score -1 · Answer 17 · edited Mar 31 '23 at 21:02

-1

A concise solution to this: ssh -oHostKeyAlgorithms=+ssh-rsa user@remote.server.com

edited Mar 31 '23 at 21:02

jmoerdyk

5,544
7
38
49

answered Mar 31 '23 at 19:28

小泡芙

1

1

This answer was already given in May, 2022. Please don't repeat answers. – ChrisGPT was on strike Apr 05 '23 at 16:12

Git error no matching host key type found. Their offer: ssh-rsa

17 Answers17

Q: Is this true?

Q: Which algorithms are supported?

Q: How do I use a cryptographically unsafe algorithm

Q: Is Microsoft aware that this is a problem?

Q: Do they care?

`linux@linux:~$ cat /home/username/.ssh/config`

`/etc/ssh/sshd_config`

Linked

Related