I recently started seeing almost twice as many systems failing and below error in the logs
“Make sure this host can be reached over ssh: Unable to negotiate with XX.XX.XX.XXX port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss”
This is older system but we do have a quite a few of those and need to keep them around and be able to automate them.
I have run the same job against same server using EE 21.11.0 and it worked with no issues so this is limited to EE-latest.
Is this a security “enhancement” and can this be worked around for older systems passing ssh args to define support for older key types?
ee latest is based on the centos stream9, whereas ee 21.11.0 stream8, so that might be causing issues with unsupported ssh key types. You may want to investigate the recommended ssh key types for stream 9 systems.
As I do understand the security implications it would be extremely helpful to be able to overwrite this behaviour on host/group level with SSH args (or similar approach) while still using EE-latest.
The ability to automate against entire environment is paramount even or especially when that environment still contains legacy systems.
This sounds very like a problem we ran into recently.
Newer versions of OpenSSH don’t support the ssh-rsa algorithm by default.
However, there is a workaround if you cannot upgrade your remote hosts.
All you need to do is add the following lines to the start of your .ssh/config file. HostKeyAlgorithms +ssh-rsa Host * PubkeyAcceptedKeyTypes +ssh-rsa
You can replace the the Host * PubkeyAcceptedKeyTypes +ssh-rsa
entry with individual entries for each affected host if you want.