📖 ~1 min read
Table of contents
Symptom & Impact
ssh client errors ‘no matching host key type found’ against older servers.
Environment & Reproduction
Stream 9 OpenSSH 8.x disables ssh-rsa with SHA-1 by default.
Root Cause Analysis
Legacy peers only offer ssh-rsa with SHA-1 signatures.
Quick Triage
ssh -vv shows host key algorithm negotiation.
Step-by-Step Diagnosis
sshd_config and ssh_config defaults under /etc/ssh/.
Solution – Primary Fix
Add ‘PubkeyAcceptedAlgorithms +ssh-rsa’ and ‘HostKeyAlgorithms +ssh-rsa’ in /etc/ssh/ssh_config.d/.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Upgrade or regenerate ed25519/rsa-sha2-512 host keys on the peer.
Verification & Acceptance Criteria
ssh connects without algorithm errors.
Rollback Plan
Remove the drop-in to restore strict defaults.
Prevention & Hardening
Plan host-key migration to ed25519 across the fleet.
Related Errors & Cross-Refs
Related: crypto-policies LEGACY profile and FIPS mode.
Related tutorial: View the step-by-step tutorial for centos-stream-9.
View all centos-stream-9 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
OpenSSH release notes and Red Hat crypto policies guide.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
