Can't connect some remote host using SSH from VCSA 8.0 U2 or later. (it worked fine on VCSA 7.x and prior VCSA 8.0 U2)
search cancel

Can't connect some remote host using SSH from VCSA 8.0 U2 or later. (it worked fine on VCSA 7.x and prior VCSA 8.0 U2)

book

Article ID: 379650

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Cannot connect to some ssh server from vCSA 8.0 U2 (or later) shell. 

Error is showing:

Unable to negotiate with <<IP address of remote host>> port 22: no matching host key type found. Their offer: ssh-rsa



Environment

vCenter server version 8.0 U2 or later.

Cause

Starting from vCenter server 8.0 U2, openssh server has been updated to 8.8p1 (or higher on later release of VCSA). And at the openssh vesion 8.8p1, it disables RSA signature using the SHA-1 hash algorithm by default for security reason.

So connecting to some older ssh server from the new VCSA could fails due to negotiate the "host key algorithm" or possible "send_pubkey_test: no mutual signature algorithm" (when '-v' option; verbose mode).

Resolution

Need to add "HostKeyAlgorithms=+ssh-rsa" option in your ssh command line. 


For example,


$ ssh -o HostKeyAlgorithms=+ssh-rsa root@target-host


or

(For connecting hosts which ssh server does not support SHA-256 or SHA-512 for 'ssh-rsa')

$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa root@target-host

And can add following into your "~/.ssh/config" 

Host target-host
     HostkeyAlgorithms +ssh-rsa
     PubkeyAcceptedAlgorithms +ssh-rsa

Be aware this could lowering security level (enabling SHA-1 hash function).

Powered by Wolken Software