Troubleshooting
Problem
After upgrading to OpenSSH 9.9, some clients are not able to communicate or connect through either sftp or ssh or other OpenSSH protocol applications.
Symptom
The most common symptom is "sshd" service does not start or Client receives a communication failure error message similar to:
Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa
Cause
Some old Host Key Algorithms have been disabled by default due to their weakness in OpenSSH release 9.2 and later.
Diagnosing The Problem
For a verbose ssh messages test you can try:
# ssh -vvv $SSH_Server
where $SSH_Server is the IP Address or Alias of your SSH Server.
Resolving The Problem
We strongly recommend upgrading SSH Clients to the latest releases to use better and more secure Algorithms. As a temporary workaround and assuming the eventual risks, some customer may add support for old Algorithms back by adding to /etc/sshd_config a line similar to:
HostKeyAlgorithms +ssh-rsa,ssh-dss
Note: each time after updating /etc/sshd_config, you need to:
# stopsrc -s sshd
# startsrc -s sshd
While this used to work in previous releases, in OpenSSH 9.9 the "sshd" service will not start. The reason is the "ssh-dss" Algorithms has been permanently disabled in this release. Instead, you may use:
HostKeyAlgorithms +ssh-rsa
only.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzvAAA","label":"AIX Open Source-\u003EOPENSSH\/OPENSSL"}],"ARM Case Number":"TS018529325","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
More support for:
AIX
Component:
AIX Open Source->OPENSSH/OPENSSL
Software version:
All Versions
Document number:
7185939
Modified date:
14 March 2025
UID
ibm17185939
Manage My Notification Subscriptions