Alma9 SFTP-SSH To Older Servers

Hello, when i try to SSH or SFTP older servers,
[root@localhost html]# sftp user@host
Unable to negotiate with ip port 22: no matching host key type found. Their offer: ssh-dss
Connection closed.
Connection closed

I add
HostKeyAlgorithms ssh-rsa,ssh-dss
PubkeyAcceptedKeyTypes ssh-rsa,ssh-dss
to .ssh/config file. Then the issue changes with ssh_dispatch_run_fatal: Connection to IP port 22: error in libcrypto

the -vvv output is look like:

[root@localhost ~]# ssh -vvv username@host
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for ‘final all’ host HOST originally HOST
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched ‘final’
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for ‘final all’ host HOST originally HOST
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched ‘final’
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts’ → ‘/root/.ssh/known_hosts’
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts2’ → ‘/root/.ssh/known_hosts2’
debug2: resolving “HOST” port 22
debug3: ssh_connect_direct: entering
debug1: Connecting to HOST [IP] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version HOSTNAME .
debug1: compat_banner: no match: HOSTNAME .
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to HOST:22 as ‘username’
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c,kex-strict-c-v00@openssh . com
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes256-gcm@openssh . com,chacha20-poly1305@openssh . com,aes256-ctr,aes128-gcm@openssh . com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh . com,chacha20-poly1305@openssh .com,aes256-ctr,aes128-gcm@openssh. com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh. com,hmac-sha1-etm@openssh. com,umac-128-etm@openssh. com,hmac-sha2-512-etm@openssh. com,hmac-sha2-256,hmac-sha1,umac-128@openssh. com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh. com,hmac-sha1-etm@openssh. com,umac-128-etm@openssh. com,hmac-sha2-512-etm@openssh. com,hmac-sha2-256,hmac-sha1,umac-128@openssh. com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh. com,zlib
debug2: compression stoc: none,zlib@openssh. com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-dss
debug2: ciphers ctos: aes256-cbc,aes256-ctr,twofish-cbc,3des-cbc,twofish128-cbc,aes128-cbc,aes128-ctr,cast128-cbc,blowfish-cbc
debug2: ciphers stoc: aes256-cbc,aes256-ctr,twofish-cbc,3des-cbc,twofish128-cbc,aes128-cbc,aes128-ctr,cast128-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: zlib,none
debug2: compression stoc: zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_DH_GEX_GROUP received
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: receive packet: type 33
debug1: SSH2_MSG_KEX_DH_GEX_REPLY received
debug1: Server host key: ssh-dss SANITIZED
debug3: record_hostkey: found key type DSA in file /root/.ssh/known_hosts:8
debug3: load_hostkeys_file: loaded 1 keys from HOST
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host ‘HOST’ is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:8
debug2: bits set: 1050/2048
ssh_dispatch_run_fatal: Connection to IP port 22: error in libcrypto

I tried both update-crypto-policies --set LEGACY and update-crypto-policies --set DEFAULT:SHA1 but the issue is not resolved. Any help is appreciated. Thanks!

try something like this:

ssh -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 -o HostKeyAlgorithms=+ssh-rsa,ssh-dss -o PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss -o RSAMinSize=512 user@host

[root@localhost html]# ssh -vvv -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 -o HostKeyAlgorithms=+ssh-rsa,ssh-dss -o PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss -o RSAMinSize=512 username@host
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for ‘final all’ host host originally hostname
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched ‘final’
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for ‘final all’ host hostname originally hostname
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched ‘final’
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts’ → ‘/root/.ssh/known_hosts’
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts2’ → ‘/root/.ssh/known_hosts2’
debug2: resolving “hostname” port 22
debug3: ssh_connect_direct: entering
debug1: Connecting to hostname [ip] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version HOST .
debug1: compat_banner: no match: HOST .
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to hostname:22 as ‘username’
debug3: record_hostkey: found key type DSA in file /root/.ssh/known_hosts:8
debug3: load_hostkeys_file: loaded 1 keys from hostname
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-dss
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,ext-info-c,kex-strict-c-v00@openssh .com
debug2: host key algorithms: ssh-dss,ssh-ed25519-cert-v01@openssh .com,ecdsa-sha2-nistp256-cert-v01@openssh. com,ecdsa-sha2-nistp384-cert-v01@openssh. com,ecdsa-sha2-nistp521-cert-v01@openssh. com,sk-ssh-ed25519-cert-v01@openssh. com,sk-ecdsa-sha2-nistp256-cert-v01@openssh .com,rsa-sha2-512-cert-v01@openssh. com,rsa-sha2-256-cert-v01@openssh .com,ssh-rsa-cert-v01@openssh .com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh. com,sk-ecdsa-sha2-nistp256@openssh. com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh. com,chacha20-poly1305@openssh .com,aes256-ctr,aes128-gcm@openssh .com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh .com,chacha20-poly1305@openssh .com,aes256-ctr,aes128-gcm@openssh. com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh. com,hmac-sha1-etm@openssh. com,umac-128-etm@openssh .com,hmac-sha2-512-etm@openssh. com,hmac-sha2-256,hmac-sha1,umac-128@openssh .com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh. com,hmac-sha1-etm@openssh. com,umac-128-etm@openssh. com,hmac-sha2-512-etm@openssh .com,hmac-sha2-256,hmac-sha1,umac-128@openssh .com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh. com,zlib
debug2: compression stoc: none,zlib@openssh. com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-dss
debug2: ciphers ctos: aes256-cbc,aes256-ctr,twofish-cbc,3des-cbc,twofish128-cbc,aes128-cbc,aes128-ctr,cast128-cbc,blowfish-cbc
debug2: ciphers stoc: aes256-cbc,aes256-ctr,twofish-cbc,3des-cbc,twofish128-cbc,aes128-cbc,aes128-ctr,cast128-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: zlib,none
debug2: compression stoc: zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_DH_GEX_GROUP received
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: receive packet: type 33
debug1: SSH2_MSG_KEX_DH_GEX_REPLY received
debug1: Server host key: ssh-dss SHA256:SANITIZED
debug3: record_hostkey: found key type DSA in file /root/.ssh/known_hosts:8
debug3: load_hostkeys_file: loaded 1 keys from hostname
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host ‘hostname’ is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:8
debug2: bits set: 1043/2048
ssh_dispatch_run_fatal: Connection to IP port 22: error in libcrypto

The crypto parameters supplied with the “-o” options to ssh, need a common match with the servers configuration.

For a start find out the key sizes used on the server:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

The result should be something like:
3072 SHA256:…
which in this example means RSA 3072 bit, SHA256.

The problem is, the server i try to connect is a government server and its authorization method is password. I know, its most secure way to authorize but I’m not the one to blame here

Google with that finds something like: linux - Error in libcrypto connecting RHEL 9 server to Centos 6 via SFTP/SSH - Server Fault and SSH from RHEL 9 to RHEL 6 systems or 3rd party application services does not work due to SHA1 being disabled - Red Hat Customer Portal

Although you show that the remote has DSA hostkey. Not even RSA.

The known_hosts has a copy of the remote’s dsa.pub, doesn’t it?
You could extract that and run the ssh-keygen -l -f on that to figure out what it has?

It could be handy to have a system – perhaps VM – with older distro to use for connection to ancient. systems.

Its an 2048 SHA256: key.

yeah you’d need something very old to work with DSA keys!

This looks like the remote host has a broken implementation:

debug1: Remote protocol version 2.0, remote software version HOST .
 debug1: compat_banner: no match: HOST .

doesn’t look like a ciphers, macs or kex issue, or the old sha1 issue although you could try:

update-crypto-policies --set DEFAULT:SHA1

(or even LEGACY) but that would lower the security of your local machine too and shouldn’t be needed with those -o options.

is it a bad link - could be a timeout - i mean there’s no “mismatch” error from ssh for example.

It seems you do not have the “usual” “ssh to old servers” problem.

The next thing i would do, is remove/comment the existing entry in .ssh/known_hosts line 8 and try again.
Government servers tend to use obscure configs and also other obscure sources of problems like IPS, DPI. You may need to do a helpdesk/service call with them.

To find out what settings are active on the server use
sshd -T
or
sshd -T | grep -i rsa

Compare the servers settings to the output on the client of
ssh -Q key
ssh -Q kex
ssh -Q cipher
ssh -Q mac
etc. see ssh -Q help

Then find common parameters and use these.

Good luck!