Fixing “no matching host key type found” When SSH from Ubuntu 24.04 to CentOS 6

Posted on by Rico

When trying to SSH from Ubuntu 24.04 to a legacy CentOS 6 server, you may encounter the following error:

no matching host key type found. Their offer: ssh-rsa,ssh-dss

This happens because:

  • Ubuntu 24.04’s OpenSSH disables ssh-rsa and ssh-dss by default, as they are old and insecure.
  • CentOS 6’s OpenSSH (version 5.x) only supports ssh-rsa and ssh-dss, which Ubuntu no longer accepts.

In short:
👉 The new Ubuntu SSH client refuses the old CentOS 6 SSH server’s key algorithms.

This article summarizes several practical and safe ways to connect.

Method 1: Temporarily enable ssh-rsa (recommended)

The safest and simplest one-time solution:

ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa user@your-centos6-ip

✔️ No global changes
✔️ Secure for single-use

Method 2: If the server only supports ssh-dss (DSA)

Some very old CentOS 6 systems may only offer ssh-dss:

ssh -oHostKeyAlgorithms=+ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-dss user@your-centos6-ip

⚠️ DSA is deprecated and insecure. Use only when absolutely necessary.

Method 3: Persistent configuration in ~/.ssh/config

If you frequently connect to this legacy host:

nano ~/.ssh/config

Add:

Host old-centos6
    HostName 192.168.x.x
    User user
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostKeyAlgorithms +ssh-rsa

Then:

ssh old-centos6

✔️ Applies only to this host
✔️ Keeps global system security intact

Method 4: Modify system-wide SSH settings (not recommended)

sudo nano /etc/ssh/ssh_config

Add:

Host *
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostKeyAlgorithms +ssh-rsa

⚠️ This weakens security for all SSH connections, so avoid if possible.

🔍 If you also see cipher or key exchange errors

CentOS 6 uses outdated ciphers and KEX algorithms. If you see:

no matching cipher found

Try:

ssh \
  -oHostKeyAlgorithms=+ssh-rsa \
  -oPubkeyAcceptedAlgorithms=+ssh-rsa \
  -oCiphers=+aes128-cbc \
  -oKexAlgorithms=+diffie-hellman-group1-sha1 \
  user@ip

📌 Conclusion: CentOS 6 SSH is outdated and incompatible

CentOS 6 reached EOL in 2020, and its default OpenSSH is severely outdated.
Newer systems disable old algorithms, so issues like this are common.

Best practices:

  • Upgrade OS (best solution)
  • Or upgrade OpenSSH manually
  • Or use the temporary compatibility flags shown above for occasional access