Articles in this section

Cannot start Plesk migration: Unable to negotiate with x.x.x.x port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

Daniel Yordanov
Updated
Plesk for Linux kb: technical

Applicable to:

  • Plesk for Linux

Symptoms

  • Cannot start Plesk migration, with the one of the following errors appearing on the side of the destination Plesk server:

    PLESK_ERROR: Unable to negotiate with x.x.x.x port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

    PLESK_ERROR: Cause: Command execution failed on the local server with non-zero exit code.
    command: rsync -r --chmod=Fu=r,Du=rwx,go= --timeout=30 -e 'ssh -i /usr/local/psa/var/modules/panel-migrator/sessions/20231003130637/ssh-keys/id_rsa.203.0.113.2-p 22 -o PasswordAuthentication=no -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no' /usr/local/psa/admin/plib/modules/panel-migrator/backend/lib/python/parallels/plesk/source/legacy/extras/plesk_12_5_pmm_shared/ root@203.0.113.2:/root/plesk_migrator/plesk_migrator-e4j6accugtjghq7yshwate5sy13uty1z/pmm_agent
    exit code: 255
    stdout:
    stderr: root@203.0.113.2: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

  • The destination Plesk server uses a new and still supported OS (for example Ubuntu 20 or above), while the source server uses a very old and unsupported OS (for example, Centos 6 or similar)

Cause

In OpenSSH 8.8 and above of the OpenSSH package, legacy keys ssh-rsa and ssh-dss are disabled (intentionally, for security reasons) and that makes the SSH connection to very old operating systems such as Centos 6 or Ubuntu 12 impossible.

Resolution

For such a migration to become possible, you must enable legacy keys support on the side of the destination server (the new server with the new OS) by doing the following:

  1. Connect to the destination server via SSH
  2. Open the /etc/ssh/ssh_config file with your favorite command-line text editor
  3. Add one of the following sets of lines that enable legacy support at the bottom of the file (depending on which of the two your old Linux server supports):

    CONFIG_TEXT: HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedKeyTypes +ssh-rsa

    OR

    CONFIG_TEXT: HostKeyAlgorithms +ssh-dss
    PubkeyAcceptedKeyTypes +ssh-dss

    Note: In some cases with a source server running Ubuntu 12 or Centos 6, you may also have to add the chosen set of lines to the /root/.ssh/config file of your destination Plesk server.

    Warning: For security reasons, it is recommended that you remove the legacy support via these options right after the Plesk migration from the old server has been finalized.

  4. Save the changes
  5. Restart the SSH service in order to apply the changes:

    # systemctl restart ssh.service

  6. Restart the Plesk migration

Additional information

OpenSSH: Legacy Options

Was this article helpful?

Comments

3 comments
Date Votes
  • Avatar
    HaiSoft SARL

    I needed to add the following to the config file /etc/ssh/ssh_config :

    HostKeyAlgorithms=+ssh-rsa
    PubkeyAcceptedAlgorithms=+ssh-rsa

    So I guess one should add this if dss is used instead of rsa :

    HostKeyAlgorithms=+ssh-dss
    PubkeyAcceptedAlgorithms=+ssh-dss

    1
  • Avatar
    Anthony Cerimeli

    I am having this same issue and tried adding these to the end of my /etc/ssh/ssh_config

    Now when I try to run the migrator there is a new error message saying these are bad key types.

    stderr: /etc/ssh/ssh_config line 54: Bad key types '+ssh-rsa,+ssh-dss'.
    /etc/ssh/ssh_config line 55: Bad key types '+ssh-rsa,+ssh-dss'.

    0
  • Avatar
    Anthony Cerimeli

    I was able to get by it. 

    HaiSoft's solution worked for me. I added the options just with +ssh-rsa and it worked.

    1

Please sign in to leave a comment.