To fix the “no matching host key type found” error in SSH, you need to modify your SSH client configuration to accept the host key types offered by the SSH server.
This error typically occurs when your SSH client does not support or is not configured to accept the host key types provided by the server.
Example error
Unable to negotiate with X.X.X.X port 22. no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519.
Here’s a general approach to resolving this issue:
Table of Contents
Temporarily Allow Key Type in Command
This video tells more about how SSH key works.
Specify the host key algorithms directly in your SSH command:
ssh -o HostkeyAlgorithms=+ssh-rsa,ssh-dss user@hostnameHere’s what’s happening:
o→ lets you pass an option directly to SSH without touching the config file.HostkeyAlgorithms=+ssh-rsa,ssh-dss→ appends (+) these algorithms to the default list so they are considered during negotiation.user@hostname→ replace with your actual username and server address.
This method is perfect for testing or temporary access because it doesn’t change system-wide behavior.
You might get this error.
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
command-line line 0: Bad key types 'ssh-dss'.The error means your SSH client doesn’t support ssh-dss anymore.
That’s because DSA keys (the ones that use ssh-dss) are considered weak and insecure and have been disabled in modern versions of OpenSSH.
You can try:
ssh -o HostkeyAlgorithms=+ssh-rsa user@hostnameThis will use RSA during the SSH connection.
see also: How to Check SSH Algorithms in Linux
Modify SSH Client Configuration file
Where to edit
You have two main options:
- Per-user configuration →
~/.ssh/config(affects only your user) - System-wide configuration →
/etc/ssh/ssh_config(affects all users)
If you’re testing or troubleshooting, start with the per-user file. It’s safer and doesn’t require root privileges.
What to add
Inside the config file, add a block like this:
Host myserver.example.com
HostkeyAlgorithms +ssh-rsa
Host myserver.example.com→ Replace with the actual hostname or IP of your server. You can also use to apply the rule globally.HostkeyAlgorithms→ Tells SSH which host key types to accept.- The
+sign appends to the default list instead of replacing it.
Save and test
- Save the file.
- Run your SSH command again:
Both ssh-rsa and ssh-dss are considered deprecated. They’re supported here only for compatibility with old systems.
Whenever possible, upgrade the server to use modern algorithms like rsa-sha2-256, ecdsa, or ed25519.
Troubleshooting Steps
Identify Supported Key Types in client side
List the key types your client supports using ssh -Q key
You can do this by running the following command in your terminal:
ssh -Q key
This will display a list of supported key types, such as ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519, etc.
Identify Server-Offered Key Types
Look at the error message you received (e.g., “no matching host key type found. Their offer: ssh-rsa,ssh-dss”). It should list the key types the server is offering.
Or you can use this command:
ssh -vvv user@hostnamedebug1: kex: host key algorithm: ssh-ed25519Server’s full supported host key list
From this line:
server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>Check this article to get more details about how SSH host key works.
Compare the Lists
Compare the key types from your client’s list with those offered by the server. Identify any matching key types. If there’s a match, ensure your SSH configuration is set to use one of these common key types.
Following these steps can help you modify your SSH client to accommodate the server’s host key types, resolving the error while considering security implications.
SSH Host key and How to Fix Remote Host Key Has Changed Error
Obtaining SSH Host Key Fingerprint in Linux
2 ways to Automatically Accept an SSH Host Key Fingerprint in Linux
15 SSH Best Practices Every Linux Admin Should Know
