Andrea Casarin

Andrea Casarin

Published on: 10/8/2022, 8:05:00 AM - Reading time: 0 minute

OpenSSH ssh-dsa and ssh-rsa

OpenSSH 8.8 is deprecating ssh-rsa and ssh-dss as key types.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. []

So you will get this error:

no matching host key type found. Their offer: ssh-rsa,ssh-dss

You can add those algorithms back, with:

HostKeyAlgorithms +ssh-rsa,ssh-dss

in /etc/ssh_config.

Of course this is a workaround, please update your keys.

I would go with, to generate such key you issue a simple command:

ssh-keygen -t ed25519