Secure Shell or SSH has been a staple part of developers and system administrators alike. The humble protocol has seen a lot of changes over the years to improve security and convenience.
One of the most important updates to the most widely used SSH server, OpenSSH, is actually deprecating some types of user keys, particularly users with older, SHA1 RSA-based keys. Sadly, until they update the keys, the keys will be harder to use.
When you try to connect SSH clients to the server with a mismatching host key type, you will be greeted by the message “no matching host key type found. Their offer: ssh-rsa”.
This error can be frustrating, especially for newer developers who do not have much experience using Linux. They don’t even touch the terminal, they’re only using the SSH key to perform tasks on version control software such as Git.
So, what is the fix to the error “no matching host key type found. Their offer: ssh-rsa”? Let’s talk in this article.
The Solution
Technically, connecting a newer SSL client to an older SSH server with a mismatching host key can be done, but it is tricky. First of all, you need to edit the file ~/.ssh/config using Nano or any text editor. Add the following line, and replace “Host” with your server’s URL:
Host your.hostname.com
User your.username
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
Save the file, and try reconnecting. After a short while, you will be able to use the server as usual. However, do note that using an out-of-date host key can be very insecure.
If you are a server admin, you need to update your key to at least rsa-sha2-256, but if you are a Git or version control system user, it is hard to do anything except report to your superior. The last time we checked, Azure DevOps still have this sin, and even some other big players are doing this as well.
So, What Caused The Error?
To sum up, the “no matching host type” error is caused by the mismatch of encrypted keys between two servers. It can be easily remedied with a tweak to the SSH config file, but it is not recommended because no matter how you frame it, using RSA1 to encrypt everything in this era sounds scary.
Version control system vendors also need to update their RSA requirements to allow for more stringent security and higher peace of mind for developers.
We are a bunch of people who are still continue to learn Linux servers. Only high passion keeps pushing us to learn everything.