Unable to negotiate with 40.74.28.9 port 22: no matching host key type found. Their offer: ssh-rsa
Solution 1
With SSH, there are several different types of keys and RSA keys (the ssh-rsa
) kind can support multiple kinds of signatures. The signature type ssh-rsa
refers to RSA with SHA-1, whereas the signature type rsa-sha2-256
is RSA with SHA-256 and rsa-sha2-512
is RSA with SHA-512.
In the case of Azure DevOps, it only supports the kind of RSA with SHA-1, and SHA-1 is considered very weak. This essentially means that there are no secure ways to connect to it over SSH, and until they fix that, you're better off using HTTPS or a different hosting service. GitHub, GitLab, and Bitbucket all support secure methods of authentication.
If you really need to use SSH with Azure DevOps at the moment, you can add an entry to your ~/.ssh/config
file to work around this:
Host ssh.dev.azure.com
User git
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
However, be aware that this is a workaround and it's known to be insecure, so you should contact Azure DevOps about this problem and switch to HTTPS until they do, or move elsewhere.
Solution 2
According to this post, you can add ssh.dev.azure.com
host config to your ~/.ssh/config
file:
Final
~/.ssh/config
that worked for me:Host ssh.dev.azure.com HostName ssh.dev.azure.com User git IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes PubkeyAcceptedAlgorithms +ssh-rsa HostkeyAlgorithms +ssh-rsa
Solution 3
OpenSSH will report the error
no matching host key type found. Their offer: ssh-rsa
if the server it's connecting to is offering to authenticate over ssh-rsa
( RSA/SHA1
).
Azure Devops (TFS) is offering to authenticate over ssh-rsa
. As noted in the answer by bk2204, this algorithm is not considered cryptographically secure.
Since it's considered weak, OpenSSH deprecated using SHA-1
in 8.2
in 2020-02-14.
It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.
Azure Devops Services subsequently announced a patch to allow SHA-2
On may 5 2021, the Azure DevOps documentation was updated to mention using RSA 3072
.
Q: Is this true?
¯\_(ツ)_/¯
Q: Which algorithms are supported?
Doesn't say anywhere. Probably only ssh-rsa
.
Q: How do I use a cryptographically unsafe algorithm
Add this
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
To your ~/.ssh/config
Host your-azure-devops-domain
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Q: Is Microsoft aware that this is a problem?
Q: Do they care?
Solution 4
I also got this problem, this worked for me:
cd ~/.ssh/
vim config
Host [Hostname]
User [User]
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
I got this problem for a few hostnames so now i have several of those configurations in my ssh config file.
Solution 5
With NixOS 21.11 openSSH got updated to 8.8p1 ( see Changelog ). OpenSSH deprecated ssh-rsa along with a couple of other insecure ciphers.
If i understood correctly, you are only using nix as package manager and not NixOS. If that is the case you can follow the guides in the remaining answers (edit ~/.ssh/config
).
However, when you are using NixOS to configure your server you can re-enable ssh-rsa
for the ssh client, by adding to your configuration.nix
:
programs.ssh.extraConfig = ''
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
''
To re-enable the insecure ssh-rsa cipher for your openssh server (e.g. when legacy clients connect to the server), you can simply add the following lines to your configuration.nix
:
services.openssh.extraConfig = ''
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
'';
Related videos on Youtube
![Jaroslav Bezděk](https://i.stack.imgur.com/OU9yy.jpg?s=256&g=1)
Jaroslav Bezděk
I am data analyst, statistician, machine learning enthusiast, and Pythonista, living and working in Brno, Czech Republic.
Updated on July 05, 2022Comments
-
Jaroslav Bezděk almost 2 years
After start of using NixOS as a new package management system, I get the following error when using git within Azure DevOps repositories and rsa ssh key:
jaroslavbezdek@mac> git pull Unable to negotiate with 40.74.28.9 port 22: no matching host key type found. Their offer: ssh-rsa fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
What can I do with that, please?
-
VonC over 2 yearsAlso discussed in public-inbox.org/git/…
-
-
twhitney over 2 yearsAha! This finally fixed my separate ssh issue. Tried tons of other options.
-
Kunal Awasthi over 2 years
IdentitiesOnly yes PubkeyAcceptedAlgorithms +ssh-rsa HostkeyAlgorithms +ssh-rsa
Faced same issue after CodeCommit setup, pasting above 3 lines successfully authenticated git over SSH, Thanks! -
bobier2 over 2 yearsThanks, that was exactly what I needed. Unfortunately, the services.openssh stanza has two typos (transposed letters). I think it needs to be "PubkeyAcceptedAlgorithms", just like in the programs.ssh stanza.
-
Eduardo Lucio over 2 yearsConfirmed the problem! Solved with instructions above. Thanks! =D Jeez Micro$$oft...
-
Tomachi over 2 yearsAnd it maybe worth checking every season or two and removing if the host is ever updated to support better cyphers.
-
okharch over 2 yearsI got this issue after Cygwin's git updated 2.32 => 2.34, this answer fixed it, thank you!
-
Palec over 2 yearsThis helped a colleague with a very recent Git installation, connecting to Azure DevOps Server 2020u1. Others on the team do not need it yet, so this is likely something new in Git. DevOps docs already have a FAQ about this issue.
-
makefu over 2 years@antifuchs thanks, i've updated my response.
-
Solomon Duskis over 2 yearsUnfortunately putting this option to
~/.ssh/config
might break other software relying on older OpenSSH. I ended up using a deprecated namePubkeyAcceptedKeyTypes
instead ofPubkeyAcceptedAlgorithms
(as mentioned here). -
Ameer Ul Islam about 2 yearsbut I'm still stuck. It was all working and suddenly stopped connecting codecommit..
-
Ameer Ul Islam about 2 yearsand identity file?
-
elulcao about 2 yearsThis also works for HostNames like
vs-ssh.visualstudio.com
-
Eduardo Lucio about 2 yearsThe value in "Host" must be compatible with the domain in use eg: "[email protected]:v3/some-client/some-path/some-repo" . In this example the value in "Host" ("~/.ssh/config") should be "vs-ssh.visualstudio.com".😉
-
mulllhausen about 2 yearsThis fixed the same issue I had with a self-hosted bitbucket server that had not been updated in a while. They list the same solution on their forum.