ChatGPT解决这个技术问题 Extra ChatGPT

Unable to negotiate with XX.XXX.XX.XX: no matching host key type found. Their offer: ssh-dss

I am trying to create a git repository on my web host and clone it on my computer. Here's what I did:

I created a repository on the remote server. I generated a key pair: ssh-keygen -t dsa. I added my key to ssh-agent. I copied to the server public key in ~/.ssh.

And then, after an attempt to run the command git clone ssh://user@host/path-to-repository, I get an error:

Unable to negotiate with XX.XXX.XX.XX: no matching host key type found. Their offer: ssh-dss fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.

What does that mean?

See security.stackexchange.com/questions/112802/…

J
Jakuje

The recent openssh version deprecated DSA keys by default. You should suggest to your GIT provider to add some reasonable host key. Relying only on DSA is not a good idea.

As a workaround, you need to tell your ssh client that you want to accept DSA host keys, as described in the official documentation for legacy usage. You have few possibilities, but I recommend to add these lines into your ~/.ssh/config file: 

Host your-remote-host
    HostkeyAlgorithms +ssh-dss

Other possibility is to use environment variable GIT_SSH to specify these options: 

GIT_SSH_COMMAND="ssh -oHostKeyAlgorithms=+ssh-dss" git clone ssh://user@host/path-to-repository
If there is no such file in your .ssh directory, an empty text file named "config" will do.
Absolute perfect worked, GIT_SSH_COMMAND="ssh -oHostKeyAlgorithms=+ssh-dss" git clone ssh://tejastank@192.168.1.4:8800/educationapp.git
As mentioned by @user2885534 you also need PubkeyAcceptedKeyTypes +ssh-rsa,ssh-dss if you want your key to be accepted when doing git fetch etc
G
Guillaume

You can also add -oHostKeyAlgorithms=+ssh-dss in your ssh line: 

ssh -oHostKeyAlgorithms=+ssh-dss user@host
This is the quickest solution +1 because it also permanently fixes the issue for that host. One more suggestion for the long-run is that if possible the host system should have its SSH daemon upgraded as it appears DSS it not considered very secure anymore.
@AreebSooYasir, it does not permanently fix it for that host, at least in Git Bash for Windows.
J
J. Chomel

For me this worked: (added into .ssh\config) 

Host *
HostkeyAlgorithms +ssh-dss
PubkeyAcceptedKeyTypes +ssh-dss
The second option is not related to the problem and the first is already mentioned in my answer.
Host your-host didn't work for me, provided your-host is the name of the host I'm running the ssh command from (client). But Host * worked for me.
@Krischu no, yuor-host is the host you are running the ssh against. Setting unsafe default for all the hosts is always bad idea.
@Jakuje It's not setting it to an unsafe default; it's appending to the default list as a last resort. From openssh.com/legacy.html "The '+' before the list instructs ssh to append the algorithm to the client's default set rather than replacing the default. By appending, you will automatically upgrade to the best supported algorithm when the server starts supporting it."
enabling 1k DSA keys even on last resort is not good idea. It is disabled for a good reason for years.
M
Michael

If you would like to contain this security hole to a single repo, you can add a config option to any Git repos that need this by running this command in those repos. (Note: only works with git version >= 2.10, released 2016-09-04) 

git config core.sshCommand 'ssh -oHostKeyAlgorithms=+ssh-dss'

This only works after the repo is setup, however. If you're not comfortable adding a remote manually (and just want to clone), then you can run the clone like this: 

GIT_SSH_COMMAND='ssh -oHostKeyAlgorithms=+ssh-dss' git clone ssh://user@host/path-to-repository

Then run the first command to make it permanent.

If you don't have the latest Git and still would like to keep the hole as local as possible, I recommend putting 

export GIT_SSH_COMMAND='ssh -oHostKeyAlgorithms=+ssh-dss'

in a file somewhere, say git_ssh_allow_dsa_keys.sh, and sourceing it when needed.

G
Gus Calca

I want to collaborate a little with the solution for the server side. So, the server is saying it does not support DSA, this is because the openssh client does not activate it by default:

OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.

So, to fix this this in the server side I should activate other Key algorithms like RSA o ECDSA. I just had this problem with a server in a lan. I suggest the following:

Update the openssh: 

yum update openssh-server

Merge new configurations in the sshd_config if there is a sshd_config.rpmnew.

Verify there are hosts keys at /etc/ssh/. If not generate new ones, see man ssh-keygen. 

$ ll /etc/ssh/
total 580
-rw-r--r--. 1 root root     553185 Mar  3  2017 moduli
-rw-r--r--. 1 root root       1874 Mar  3  2017 ssh_config
drwxr-xr-x. 2 root root       4096 Apr 17 17:56 ssh_config.d
-rw-------. 1 root root       3887 Mar  3  2017 sshd_config
-rw-r-----. 1 root ssh_keys    227 Aug 30 15:33 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 Aug 30 15:33 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 Aug 30 15:33 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 Aug 30 15:33 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   1675 Aug 30 15:33 ssh_host_rsa_key
-rw-r--r--. 1 root root        382 Aug 30 15:33 ssh_host_rsa_key.pub

Verify in the /etc/ssh/sshd_config the HostKey configuration. It should allow the configuration of RSA and ECDSA. (If all of them are commented by default it will allow too the RSA, see in man sshd_config the part of HostKey). 

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

For the client side, create a key for ssh (not a DSA like in the question) by just doing this: 

ssh-keygen

After this, because there are more options than ssh-dss(DSA) the client openssh (>=v7) should connect with RSA or better algorithm.

Here another good article.

This is my first question answered, I welcome suggestions :D .

i
indika

In my case for bitbucket, the following worked. 

Host yourhost(ex: bitbucket.com)
    User git
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa
a
ashokhein

You either follow above approach or this one

Create the config file in the .ssh directory and add these line. 

host xxx.xxx
 Hostname xxx.xxx
 IdentityFile ~/.ssh/id_rsa
 User xxx
 KexAlgorithms +diffie-hellman-group1-sha1
That is solving completely different problem.

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Links

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.