Keywords: Git | SSH | ssh-rsa | host key | security algorithms
Abstract: This article provides an in-depth analysis of the 'no matching host key type found. Their offer: ssh-rsa' error encountered when using Git with SSH. It explains the root cause: OpenSSH disabling the insecure ssh-rsa (RSA/SHA-1) signature algorithm by default since version 8.2. The compatibility issues with services like Azure DevOps are detailed, along with a temporary solution via modifying the ~/.ssh/config file. The article emphasizes the security risks of this workaround, recommending HTTPS or migrating to Git hosting services that support safer algorithms (e.g., rsa-sha2-256/512), and calls for service providers to upgrade promptly.
Error Phenomenon and Background
When performing remote repository operations with Git (e.g., git pull or git push), some users encounter the following error:
$ git pull
Unable to negotiate with 172.16.42.42 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.This error indicates that the SSH client cannot negotiate a matching host key type with the server. The server's offer of ssh-rsa is not accepted by the client, leading to connection failure.
Root Cause Analysis
The SSH protocol relies on asymmetric encryption algorithms for authentication and key exchange. Here, ssh-rsa refers to a signature scheme using RSA keys combined with the SHA-1 hash algorithm. However, SHA-1 has been proven vulnerable to collision attacks since 2017, with attack costs potentially under $50,000, rendering it insecure.
To address this threat, the OpenSSH project announced in its version 8.2 release (February 2020) that it would disable the ssh-rsa algorithm by default in future versions. This move aims to encourage users and service providers to migrate to safer alternatives, such as rsa-sha2-256 (RSA with SHA-256) or rsa-sha2-512 (RSA with SHA-512).
The issue arises because some Git hosting services (e.g., Azure DevOps) still only support ssh-rsa and have not upgraded to SHA-2 series algorithms. When users connect to these services with newer OpenSSH clients, the algorithm mismatch triggers the aforementioned error.
Temporary Solution
To temporarily restore SSH connectivity, you can re-enable the ssh-rsa algorithm by modifying the SSH client configuration. Follow these steps:
- Open or create the SSH client configuration file at
~/.ssh/config. - Add the following configuration block, replacing
your-azure-devops-domainwith the actual domain (e.g.,ssh.dev.azure.com):
Host your-azure-devops-domain
User git
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsaThis configuration uses the +ssh-rsa syntax to re-add the ssh-rsa algorithm to the list of acceptable algorithms, allowing the client and server to negotiate its use.
Security Risks and Long-term Recommendations
Although the above solution can temporarily resolve the issue, it is crucial to highlight its security risks:
- Cryptographic Weakness: SHA-1 is susceptible to collision attacks, potentially allowing malicious actors to forge signatures and impersonate servers or users.
- Compliance Issues: Many security standards (e.g., NIST, PCI DSS) have prohibited the use of SHA-1, and continued use may lead to compliance failures.
- Future Compatibility: OpenSSH plans to completely remove support for
ssh-rsain the future, so this temporary fix may become ineffective in later versions.
Therefore, we strongly recommend the following long-term measures:
- Prefer HTTPS: For services that only support
ssh-rsa(e.g., Azure DevOps), switching to the HTTPS protocol can avoid SSH algorithm issues and typically requires no additional configuration. - Migrate to Services Supporting Secure Algorithms: Mainstream platforms like GitHub, GitLab, and Bitbucket fully support modern algorithms such as
rsa-sha2-256/512and Ed25519; consider prioritizing these services. - Advocate for Provider Upgrades: Use official channels (e.g., Azure DevOps user feedback) to urge service providers to promptly support SHA-2 algorithms, addressing the problem at its root.
Conclusion
The Git SSH connection error "no matching host key type found. Their offer: ssh-rsa" stems from OpenSSH disabling the insecure SHA-1 algorithm while some services have not upgraded accordingly. Users can temporarily restore connectivity by modifying ~/.ssh/config, but must be aware of the security risks and actively adopt long-term solutions like HTTPS or migration to more secure platforms. Cybersecurity is an ongoing process, requiring collaboration between users and service providers to phase out weak algorithms and embrace modern encryption standards.