IBM Support

After upgrading to OpenSSH 9.9, sshd fails to start if ssh-dss Host Key Algorithm used

Troubleshooting


Problem

After upgrading to OpenSSH 9.9, some clients are not able to communicate or connect through either sftp or ssh or other OpenSSH protocol applications.

Symptom

The most common symptom is "sshd" service does not start or Client receives a communication failure error message similar to:
Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa

Cause

Some old Host Key Algorithms have been disabled by default due to their weakness in OpenSSH release 9.2 and later.

Diagnosing The Problem

For a verbose ssh messages test you can try:
# ssh -vvv $SSH_Server

where $SSH_Server is the IP Address or Alias of your SSH Server.

Resolving The Problem

We strongly recommend upgrading SSH Clients to the latest releases to use better and more secure Algorithms. As a temporary workaround and assuming the eventual risks, some customer may add support for old Algorithms back by adding to /etc/sshd_config a line similar to:
HostKeyAlgorithms +ssh-rsa,ssh-dss
Note: each time after updating /etc/sshd_config, you need to:
# stopsrc -s sshd
# startsrc -s sshd

While this used to work in previous releases, in OpenSSH 9.9 the "sshd" service will not start. The reason is the "ssh-dss" Algorithms has been permanently disabled in this release. Instead, you may use:
HostKeyAlgorithms +ssh-rsa
only.

Document Location

Worldwide


[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzvAAA","label":"AIX Open Source-\u003EOPENSSH\/OPENSSL"}],"ARM Case Number":"TS018529325","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

More support for:
AIX

Component:
AIX Open Source->OPENSSH/OPENSSL

Software version:
All Versions

Document number:
7185939

Modified date:
14 March 2025

UID

ibm17185939

Manage My Notification Subscriptions