Unable to ssh on macOS High Sierra, Catalina and Linux

• Symptoms

After upgrading to the Apple macOS High Sierra version, the following error appears and you cannot connect to the network switch or firewall.

Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-dss

Unable to negotiate with 192.168.1.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Unable to negotiate with 192.168.1.10 port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha
-> Add ssh-ed25519 to the HostkeyAlgorithms

• Root cause

In recent macOS versions, Apple’s OpenSSH removes ssh-dss completely at compile time.
So no client-side flag, config tweak, or ssh_config edit can make this work.

You are trying to talk to a device that only supports:

ssh-dss (DSA host key, 1024-bit, SHA-1)

and your Mac literally cannot speak that protocol anymore.

This is not a negotiation problem.
This is a capability removal.

You have options as below.

Option 1 — Correct fix (recommended): regenerate the SSH host key on the switch
Make the switch offer one of:

• ssh-ed25519
• ecdsa-sha2-nistp256
• ssh-rsa (rsa-sha2-256/512)

After that, your Mac will connect instantly with no hacks.

This is the proper solution.


Option 2 — Use an older SSH client that still supports DSA (workaround).

The Serial app supports the legacy algorithm. Please try the “TRY FREE” option first and confirm whether SSH works.

https://www.decisivetactics.com/products/serial/

Option 3 — Use a Linux VM / jump host
Any older Linux box, container, or VM will still support ssh-dss.

Example:

docker run -it ubuntu bash
apt update && apt install openssh-client
ssh [email protected]

This works immediately because Linux OpenSSH still includes DSA.

• Resolution 1

It is a system-wide solution.

Open the ssh_config file in the /etc/ssh directory using a text editor such as Vi.

sudo vi /etc/ssh/ssh_config

Find the line as shown below and remove the # (Hash/Pound) at the beginning.

# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

And add the following line at the bottom.

HostkeyAlgorithms +ssh-dss,ssh-rsa,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
KexAlgorithms +diffie-hellman-group1-sha1

Overall it will be something like this:

# Port 22
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-sha2-512,hmac-sha2-256,hmac-md5,hmac-sha1,[email protected],[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h

Host *
SendEnv LANG LC_*
HostkeyAlgorithms +ssh-dss,ssh-rsa,ssh-ed25519
KexAlgorithms +diffie-hellman-group1-sha1

Save and exit, and it will take effect immediately. No reboot required.

• Resolution 2

It is a solution that can be set for each specific user, host, or subnet.

Open the config file in the .ssh directory using a text editor such as Vi.

Vi ~/.ssh/config
~/.ssh/config or $HOME/.ssh/config

# Please add the following algorithm to all hosts on the network.

Host *

HostKeyAlgorithms +ssh-rsa

PubkeyAcceptedKeyTypes +ssh-rsa

# 192.168.1.0 Allow the below algorithm to all hosts on the network
Host 192.168.1.*
HostKeyAlgorithms=+ssh-dss

# Only 2 hosts below are allowed encryption
Host 192.168.2.1, 192.168.2.2
Ciphers aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

# Only 1 subnet and 1 host below encryption, allow algorithm
Host 192.168.3.0.*, 192.168.4.100
HostKeyAlgorithms=+ssh-dss
Ciphers 3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1

• Resolution 3

Run SSH with the parameters directly in the command line.

ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa [email protected]

* Reference: SSH Config File - Commonly used configuration options