Old Linux rejects my ssh id_rsa key from newly installed windows

I have been maintaining an old Linux server (CentOS 6.5) for long term.
I access that Linux server by ssh with ‘pub key auth’.

Now I just bought a new Windows (win10 or 11 not sure) laptop and installed ‘Git for win 2.33’, when I try to ssh from the new lap top as usual, I got:

$  ssh -i ~/.ssh/id_rsa.bridge_to_home -p 5122  -vv shaozr@{ip addr}

OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolve_canonicalize: hostname is address

debug1: Connecting to [] port 5122.

debug1: Connection established.

debug1: identity file /c/Users/43141/.ssh/id_rsa.bridge_to_home type -1

debug1: identity file /c/Users/43141/.ssh/id_rsa.bridge_to_home-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_8.8

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002

debug2: fd 4 setting O_NONBLOCK

debug1: Authenticating to as 'shaozr'

debug1: load_hostkeys: fopen /c/Users/43141/.ssh/known_hosts: No such file or directory

debug1: load_hostkeys: fopen /c/Users/43141/.ssh/known_hosts2: No such file or directory

debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory

debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c

debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: MACs ctos: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: algorithm: diffie-hellman-group-exchange-sha256

debug1: kex: host key algorithm: (no match)

Unable to negotiate with port 5122: no matching host key type found. Their offer: ssh-rsa,ssh-dss

This is weird.

I can still ssh to that linux from my old PC,
and I can git clone via ssh (to famous git repo provider) from my new laptop.

It seems that both sides are ‘ssh OK’,
but why the CentOS6.6 rejects my id_ras key from ‘Git for win 2.33’ ?

Asked By: grizzlybears


Just ran into this at work on a new Windows machine with a new Cygwin installed that installed OpenSSH 9. Turns out that in 8.something, the OpenSSH team disabled the older ssh-rsa encryption algorithms by default. (See https://www.openssh.com/releasenotes.html)

It’s not the server rejecting you; it’s that your newer client isn’t willing to speak ssh-rsa, which is all the older OpenSSH daemons can speak.

You can instruct your client to re-enable them, but that’s a workaround. You’re going to need to upgrade the ssh daemons on your servers. The ssh-rsa algos were disabled because they are insecure and easily cracked with modern hardware.

So, the workaround is to make a ssh config file on your client, in $HOME/.ssh/config, and in it, you put something like this:

    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa

Replace HOSTNAME with a regex that matches the hostname you are connecting to.

Answered By: Mike Diehn
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.