Applicable to:
- Plesk for Linux
Symptoms
- Cannot start Plesk migration, with the following error appearing on the side of the destination Plesk server:
PLESK_ERROR: Unable to negotiate with x.x.x.x port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
- The destination Plesk server uses a new and still supported OS (for example Ubuntu 20 or above), while the source server uses a very old and unsupported OS (for example, Centos 6 or similar)
Cause
In OpenSSH 8.8 and above of the OpenSSH package, legacy keys ssh-rsa
and ssh-dss
are disabled (intentionally, for security reasons) and that makes the SSH connection to very old operating systems such as Centos 6 or Ubuntu 12 impossible.
Resolution
For such a migration to become possible, you must enable legacy keys support on the side of the destination server (the new server with the new OS) by doing the following:
- Connect to the destination server via SSH
- Open the
/etc/ssh/ssh_config
file with your favorite command-line text editor - Add one of the following sets of lines that enable legacy support at the bottom of the file (depending on which of the two your old Linux server supports):
CONFIG_TEXT: HostKeyAlgorithms +ssh-rsa
OR
PubkeyAcceptedKeyTypes +ssh-rsa
CONFIG_TEXT: HostKeyAlgorithms +ssh-dss
PubkeyAcceptedKeyTypes +ssh-dssNote: In some cases with a source server running Ubuntu 12 or Centos 6, you may also have to add the chosen set of lines to the
/root/.ssh/config
file of your destination Plesk server.Warning: For security reasons, it is recommended that you remove the legacy support via these options right after the Plesk migration from the old server has been finalized.
- Save the changes
- Restart the SSH service in order to apply the changes:
# systemctl restart ssh.service
- Restart the Plesk migration
Comments
3 comments
I needed to add the following to the config file
/etc/ssh/ssh_config :
So I guess one should add this if dss is used instead of rsa :
I am having this same issue and tried adding these to the end of my /etc/ssh/ssh_config
Now when I try to run the migrator there is a new error message saying these are bad key types.
I was able to get by it.
HaiSoft's solution worked for me. I added the options just with +ssh-rsa and it worked.
Please sign in to leave a comment.