Skip to main content

DSA SSH Hostkeys

(2017-05-25)

Problem

I have a stone-age host monitor thing that is complaining that it can't find agreeable SSH host keys from my CentOS 7 server. Turns out it requires DSA host keys and won't use the other host keys that are available. CentOS 7 by default does not generate DSA host keys because DSA is old and busted.

Solution

In /etc/ssh/sshd_config:

HostKey /etc/ssh/ssh_host_dsa_key

Run:

# ssh-keygen -t dsa -N '' -f /etc/ssh/ssh_host_dsa_key
# chgrp ssh_keys /etc/ssh/ssh_host_dsa_key
# systemctl restart sshd

Search Engine Bait

Protocol Error: can not agree hostkey