Unable to negotiate with 40.74.28.9 port 22: no matching host key type found. Their offer: ssh-rsa

Git Problem Overview

After start of using NixOS as a new package management system, I get the following error when using git within Azure DevOps repositories and rsa ssh key:

jaroslavbezdek@mac> git pull
Unable to negotiate with 40.74.28.9 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

What can I do with that, please?

Git Solutions

Solution 1 - Git

With SSH, there are several different types of keys and RSA keys (the ssh-rsa) kind can support multiple kinds of signatures. The signature type ssh-rsa refers to RSA with SHA-1, whereas the signature type rsa-sha2-256 is RSA with SHA-256 and rsa-sha2-512 is RSA with SHA-512.

In the case of Azure DevOps, it only supports the kind of RSA with SHA-1, and SHA-1 is considered very weak. This essentially means that there are no secure ways to connect to it over SSH, and until they fix that, you're better off using HTTPS or a different hosting service. GitHub, GitLab, and Bitbucket all support secure methods of authentication.

If you really need to use SSH with Azure DevOps at the moment, you can add an entry to your ~/.ssh/config file to work around this:

Host ssh.dev.azure.com
    User git
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

However, be aware that this is a workaround and it's known to be insecure, so you should contact Azure DevOps about this problem and switch to HTTPS until they do, or move elsewhere.

Solution 2 - Git

According to this post, you can add ssh.dev.azure.com host config to your ~/.ssh/config file:

> Final ~/.ssh/config that worked for me: > > Host ssh.dev.azure.com > HostName ssh.dev.azure.com > User git > IdentityFile ~/.ssh/id_rsa > IdentitiesOnly yes > PubkeyAcceptedAlgorithms +ssh-rsa > HostkeyAlgorithms +ssh-rsa

Solution 3 - Git

OpenSSH will report the error no matching host key type found. Their offer: ssh-rsa if the server it's connecting to is offering to authenticate over ssh-rsa ( RSA/SHA1).

Azure Devops (TFS) is offering to authenticate over ssh-rsa. As noted in the answer by bk2204, this algorithm is not considered cryptographically secure.

Since it's considered weak, OpenSSH deprecated using SHA-1 in 8.2 in 2020-02-14.

> It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.

Azure Devops Services subsequently announced a patch to allow SHA-2

On may 5 2021, the Azure DevOps documentation was updated to mention using RSA 3072.

Q: Is this true?

¯\_(ツ)_/¯

Q: Which algorithms are supported?

Doesn't say anywhere. Probably only ssh-rsa.

Q: How do I use a cryptographically unsafe algorithm

Add this

  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

To your ~/.ssh/config

Host your-azure-devops-domain
  IdentityFile ~/.ssh/id_rsa
  IdentitiesOnly yes
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

Q: Is Microsoft aware that this is a problem?

Yes they are.

Q: Do they care?

No it's a feature

Solution 4 - Git

With NixOS 21.11 openSSH got updated to 8.8p1 ( see Changelog ). OpenSSH deprecated ssh-rsa along with a couple of other insecure ciphers.

If i understood correctly, you are only using nix as package manager and not NixOS. If that is the case you can follow the guides in the remaining answers (edit ~/.ssh/config).

However, when you are using NixOS to configure your server you can re-enable ssh-rsa for the ssh client, by adding to your configuration.nix:

programs.ssh.extraConfig = ''
  PubkeyAcceptedAlgorithms +ssh-rsa
  HostkeyAlgorithms +ssh-rsa
''

To re-enable the insecure ssh-rsa cipher for your openssh server (e.g. when legacy clients connect to the server), you can simply add the following lines to your configuration.nix:

services.openssh.extraConfig = ''
  PubkeyAcceptedAlgorithms +ssh-rsa
  HostkeyAlgorithms +ssh-rsa
'';

Solution 5 - Git

Correction for the posted answer. I had the same issue and I fixed it with the following snippet from above with a tiny fix:

Host YOUR-DOMAIN
Hostname YOUR-DOMAIN
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
HostKeyAlgorithms=+ssh-rsa
PubkeyAcceptedAlgorithms=+ssh-rsa

Dont forget to replace YOUR-DOMAIN with the domain you are using on AzureDevOps.

Solution 6 - Git

I also got this problem, this worked for me:

cd ~/.ssh/
vim config

Host [Hostname]
User [User]
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

I got this problem for a few hostnames so now i have several of those configurations in my ssh config file.

Solution 7 - Git

The format of the workaround wasn't working for me for windows 10 and git version 2.32.0. This snippet worked for me

Host = Hostname.com
IdentityFile = ~/.ssh/id_rsa
IdentitiesOnly = yes
HostkeyAlgorithms = +ssh-rsa
PubkeyAcceptedAlgorithms = +ssh-rsa

Content Type	Original Author	Original Content on Stackoverflow
Question	Jaroslav Bezděk	View Question on Stackoverflow
Solution 1 - Git	bk2204	View Answer on Stackoverflow
Solution 2 - Git	Jaroslav Bezděk	View Answer on Stackoverflow
Solution 3 - Git	CervEd	View Answer on Stackoverflow
Solution 4 - Git	makefu	View Answer on Stackoverflow
Solution 5 - Git	NekoMisaki	View Answer on Stackoverflow
Solution 6 - Git	Leonardo Repolust	View Answer on Stackoverflow
Solution 7 - Git	Rohit Singh	View Answer on Stackoverflow