Rsync/ssh problems (since upgrading to 36)

phengaris · June 13, 2022, 9:41pm

I’ve used rsync for years to update files at Bluehost. Since last night my ssh client has returned an error:
Unable to negotiate with xxx.xxx.xxx.xx port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
Any idea what is causing it? I regenerated the keys on the server and downloaded my private key into ~/.ssl/id_rsa at their support desks suggestion, but to no effect. I did upgrade to Fedora 36 prior to this. I installed PuTTY on a windows laptop to see if that worked and that connected fine.

t3kg33k · June 14, 2022, 6:41am

Are you able to ssh to that same IP?
You should also check your .ssh/authorized_keys to confirm there is no conflict.

phengaris · June 14, 2022, 6:56am

Thanks for the response. Yes, ssh to same IP address. Works on Windows/PuTTY, fails on Fedora. I’m using the same key-pair (I copied the private key from Fedora box to Windows). Before regenerating the keys, I deleted the old pair so I have just one key pair.

robin217 · June 14, 2022, 7:39am

Try adding -o HostKeyAlgorithms=ssh-rsa :

ssh -o HostKeyAlgorithms=ssh-rsa user@server.com

(mentioned in other thread)

phengaris · June 16, 2022, 8:34am

Robin’s suggestion enabled me to ssh and rsync - but then it seemed to by-pass key exchange and just use password (presumably sent in plain text). My work around at the moment is that I’ve resuscitated an old NUC that has an earlier version of Fedora. I can ssh into that from my Fedora 36 machine and then ssh/rsync to BlueHost from the NUC! Convoluted, but it works. I assume it’s a problem with the 8.8 version of ssh in Fedora 36 talking to BlueHost’s ssd service

robin217 · June 16, 2022, 11:00pm

Glad it’s at least partially working. A couple of other things to try:

Add KexAlgorithms=diffie-hellman-group1-sha1 and PubkeyAcceptedKeyTypes=ssh-rsa options:

ssh -o HostKeyAlgorithms=ssh-rsa \
  -o KexAlgorithms=diffie-hellman-group1-sha1 \
  -o PubkeyAcceptedKeyTypes=ssh-rsa \
  user@example.com

You could also try making Fedora’s crypto policy less strict:

sudo update-crypto-policies --set LEGACY
And reboot.

To undo that crypto policy change (if it didn’t help):
sudo update-crypto-policies --set DEFAULT
And reboot

phengaris · June 18, 2022, 11:44am

Good suggestion! It produced:
Their offer: diffie-hellman-group-exchange-sha256
I altered your example to -o KexAlgorithms=diffie-hellman-group-exchange-sha256
Now I can ssh in. I’m having no luck with incorporating your suggestion into my rsync command though. Any ideas?

robin217 · June 18, 2022, 6:00pm

Something like this:

rsync -aP -e 'ssh -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -o HostKeyAlgorithms=ssh-rsa' username@example.com:path/to/dir/ to/local/dir

or, better, create a ~/.ssh/config file containing:

Host example
    HostName example.com
    User username
    IdentityFile ~/.ssh/id_rsa
    HostKeyAlgorithms ssh-rsa
    KexAlgorithms diffie-hellman-group-exchange-sha256

Then, these simpler invocations should work:

ssh example
rsync -aP example:path/to/dir/ to/local/dir

phengaris · June 18, 2022, 9:27pm

Complete success! Using the rsync command and simplifying using the ~/.ssh/config edit both worked fine. Thanks.