SSH-RSA Host Key Error: Fixing "no matching host key type found"
If you're encountering the error "no matching host key type found. Their offer: ssh-rsa" when using Git or SSH, this guide will help you understand and resolve the issue.
Problem Overview
This error occurs when your SSH client (version 8.2 or later) attempts to connect to a server that only supports the outdated ssh-rsa host key algorithm. Modern SSH clients have deprecated this algorithm due to security vulnerabilities in the SHA-1 hash function it uses.
Why This Happens
The ssh-rsa signature scheme uses the SHA-1 algorithm, which is now considered cryptographically weak. Major OpenSSH versions starting with 8.2 (released February 2020) disabled this algorithm by default for security reasons.
Many Azure DevOps Services instances and some older servers still only offer this deprecated algorithm, causing compatibility issues with modern SSH clients.
Solutions
Temporary Workaround: Update SSH Configuration
The most common solution is to modify your SSH configuration to temporarily re-enable the deprecated algorithm:
# Edit or create the config file
nano ~/.ssh/config# Using PowerShell (run as admin if needed)
notepad $env:USERPROFILE\.ssh\configAdd the following configuration, replacing your-hostname with your actual server domain:
Host your-hostname
HostName your-hostname
User git
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsaSecurity Note
This workaround reduces your connection security. Use it only temporarily and encourage the server administrator to update their SSH implementation.
Platform-Specific Configurations
Azure DevOps
For Azure DevOps, use this specific configuration:
Host ssh.dev.azure.com
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
Host vs-ssh.visualstudio.com
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsaOne-Time Command Solution
For a single connection without modifying config files:
ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa user@hostnameFor Git operations:
GIT_SSH_COMMAND="ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa" git pullNixOS Configuration
If you're using NixOS, add this to your configuration.nix:
programs.ssh.extraConfig = ''
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
'';macOS Specific Notes
On macOS, you might need to edit the system-wide SSH configuration instead of the user-specific one:
sudo nano /etc/ssh/ssh_configAdd the same configuration options as shown above.
Best Practices and Recommendations
- Prefer HTTPS: When possible, use HTTPS instead of SSH for Git operations, especially with Azure DevOps
- Contact Support: Report the issue to your service provider and request they support modern algorithms like
rsa-sha2-256orrsa-sha2-512 - Temporary Measure: Use the workaround only until the server is updated
- Key Verification: Always verify server host keys to prevent man-in-the-middle attacks
Security Considerations
The ssh-rsa algorithm is considered weak because SHA-1 is vulnerable to collision attacks. While the risk may be acceptable for some development environments, you should avoid using this workaround for production systems or sensitive data.
Important
This workaround temporarily lowers your SSH connection security. Only use it when necessary and revert once the server supports modern algorithms.
When to Seek Alternative Solutions
If you continue to experience issues:
- Verify your SSH client version with
ssh -V - Check if you're using the correct SSH executable (some systems have multiple)
- Consider using a different Git hosting service that supports modern SSH algorithms
- Use HTTPS as a temporary alternative to SSH
By implementing these solutions, you should be able to resolve the "no matching host key type found" error while maintaining awareness of the security implications.