IBM Support

IBM AIX: OpenSSH 9.2 disables ssh-rsa host key algorithm support by default

Troubleshooting


Problem

The AIX® ssh client rejects the ssh-rsa host key algorithm offered by the ssh server, causing logins to fail. This happens if there are no other matching host key algorithms offered by the ssh server.

Symptom

The ssh command prints this error message.
Unable to negotiate with XXX.XXX.XXX.XXX port 22: no matching host key type found. Their offer: ssh-rsa

Cause

Default support for the ssh-rsa host key algorithm was disabled in OpenSSH 8.8. This is because it uses the SHA-1 hash algorithm, which is not secure.
Important note: do not confuse the ssh-rsa host key algorithm with the ssh-rsa key type. Although they are referred to by the same name, the host key algorithm implies a hash algorithm, whereas the key type has no associated hash algorithm. RSA host keys are still fully supported.
There are three host key algorithms associated with the ssh-rsa key type:
  • ssh-rsa, which uses the SHA-1 hash algorithm.
  • rsa-sha2-256, which uses the SHA-2 256-bit hash algorithm.
  • rsa-sha2-512, which uses the SHA-2 512-bit hash algorithm.
Both the rsa-sha2-256 and rsa-sha2-512 algorithms are fully supported.

Environment

This issue affects AIX systems where OpenSSH has been upgraded to version 9.2 or higher.

Resolving The Problem

There are two ways to resolve the problem.
1. Enable support for the SHA-2 host key algorithms on the ssh server. Very old ssh servers may not support these algorithms. In OpenSSH, add the following option to the /etc/ssh/sshd_config file on the ssh server.
HostKeyAlgorithms +rsa-sha2-512,rsa-sha2-256
Restart the ssh daemon for the change to take effect. This does not affect existing sessions.
stopsrc -s sshd
startsrc -s sshd
2. Enable use of the ssh-rsa host key algorithm on the ssh client. Do this by adding the following option to the /etc/ssh/ssh_config or $HOME/.ssh/config file. 
HostKeyAlgorithms +ssh-rsa
This option is NOT recommended because the ssh-rsa host key algorithm uses the SHA-1 hash algorithm, which is not secure. Only use it as a last resort.

SUPPORT:

If the instructions in this document do not lead to resolution of the problem, follow these instructions to open a case. The product must be under warranty or have an active and valid support contract.

a. Document or take screen captures of all symptoms, errors, or messages.

b. Capture any logs or data relevant to the issue.

c. Contact IBM® to open a case.

-For electronic support, visit the IBM Support Community:
https://www.ibm.com/mysupport
-If you require telephone support, visit this web page:
https://www.ibm.com/planetwide/

d. Provide a detailed description of the issue and a reference to this technote.

e. Upload all of the details and data to the case.

-You can attach files to the case in the IBM Support Community, or
-Upload data to IBM test case server analysis at this URL:

http://www.ibm.com/support/docview.wss?uid=ibm10733581

f. Click here to submit feedback for this document.

Related Information

OpenSSH 8.8 Release Notes

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvwrAAA","label":"Communication Applications"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 May 2024

UID

ibm17118459

Page Feedback