Search code examples
sshweb-hosting

Unable to negotiate with XX.XXX.XX.XX: no matching host key type found. Their offer: ssh-dss


I am trying to create a git repository on my web host and clone it on my computer. Here's what I did:

  1. I created a repository on the remote server.
  2. I generated a key pair: ssh-keygen -t dsa.
  3. I added my key to ssh-agent.
  4. I copied to the server public key in ~/.ssh.

And then, after an attempt to run the command git clone ssh://user@host/path-to-repository, I get an error:

Unable to negotiate with XX.XXX.XX.XX: no matching host key type found. Their offer: ssh-dss
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

What does that mean?


Solution

  • Updated version in 2024:

    The support for DSA keys was removed from OpenSSH 9.8 so the description from 2015 below is relevant only for if you have older openssh versions (vendors will keep using them for years so keeping the original answer too).

    If you have OpenSSH 9.8 and newer, there is no way to make the DSA keys working (unless you would downgrade to older version).

    But you should not use the DSA keys anyway! Reach out to the server administrator that they should update their software, which is likely 10+ years old and insecure.

    If you need to use DSA keys anyway to connect to some ancient hardware, connect to it through some container of your choice with older OpenSSH version. These will be around for years.

    Version from 2015:

    The recent openssh version deprecated DSA keys by default. You should suggest to your GIT provider to add some reasonable host key. Relying only on DSA is not a good idea.

    As a workaround, you need to tell your ssh client that you want to accept DSA host keys, as described in the official documentation for legacy usage. You have few possibilities, but I recommend to add these lines into your ~/.ssh/config file:

    Host your-remote-host
        HostkeyAlgorithms +ssh-dss
    

    Other possibility is to use environment variable GIT_SSH to specify these options:

    GIT_SSH_COMMAND="ssh -oHostKeyAlgorithms=+ssh-dss" git clone ssh://user@host/path-to-repository