SSH to C.H.I.P

Tried to ssh to my C.H.I.P device today, (which has been running smoothly for 3 months), and was confronted with a new error:

Unable to negotiate with 192.168.1.238 port 22: no matching host key type found. Their offer: ssh-dss

What the heck does this mean?  Google, here we come!!

https://wiki.archlinux.org/index.php/Secure_Shell

– describes the symptoms quite well, but what about a solution??

Neat internet debate at http://security.stackexchange.com/questions/29262/disabling-authentication-via-dsa-keys-in-openssh — but again no solution.

How to Fix: MacOS Sierra Upgrade Breaking SSH Keys

– also describes a similar problem…. and what the solution was – from a CLIENT perspective.

But SSH keys that you have for your client side are the same as the ones you have for your server side (minus the password protection), right?

root@chip:/etc/ssh# head ssh_host_dsa_key
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQDEDWeyHZnjTfccs/dsV1e+qUyr+7FMFFnBnJv2V6MeB3cN92Uz
cBMq+e/i64Hgdggu/ukLRUBNQ9zlXznN3DEblNZH5O+Bebtq4Vn6hFYT+1cSEVnO
2NXz+oBPHYFSPNCDUNuMandf/vGveezsbd3ty0KyEuunSGJ9NHIdgbW4ZQIVAJu3
rTiXkvnKcyRC/2a7sDektQJ9AoGBAKcrorEJdjlIqmtjsoyk+90v3k9hKy673TKW
WCZO4DJNvC0EVnVYQl02Q6HJB0Ar+mbQFU7HM/fr7LQr22BSMsTAy6s0nKAFogTK

So why not just generate new keys, and put them into the right spot.

root@chip:/tmp# ls -l /etc/ssh/*key
-rw------- 1 root root 668 Aug 19 22:27 /etc/ssh/ssh_host_dsa_key
-rw------- 1 root root 0 Jan 1 1970 /etc/ssh/ssh_host_ecdsa_key
-rw------- 1 root root 0 Jan 1 1970 /etc/ssh/ssh_host_ed25519_key
-rw------- 1 root root 0 Jan 1 1970 /etc/ssh/ssh_host_key
-rw------- 1 root root 0 Jan 1 1970 /etc/ssh/ssh_host_rsa_key

Aha, this might be the reason..

root@chip:/tmp# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /tmp/ssh_host_rsa_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/ssh_host_rsa_key.
Your public key has been saved in /tmp/ssh_host_rsa_key.pub.
The key fingerprint is:
03:0a:02:4e:e9:50:67:a2:8a:e5:e9:1b:f8:54:a4:cf root@chip
The key's randomart image is:
+---[RSA 2048]----+
|.o+ o            |
|=o +             |
|=.o . .          |
|o= = . .         |
|o + o   S        |
| o +     .       |
|. + E            |
| o o             |
|  o              |
+-----------------+

then copy these over the 0-byte ones

root@chip:/tmp# cpssh_host_rsa_key /etc/ssh/ssh_host_rsa_key
root@chip:/tmp# cpssh_host_rsa_key /etc/ssh/ssh_host_rsa_key

Now, back on my Mac, I verify the ASCII art first

[bill@My-MBP tmp]$ ssh -o VisualHostKey=yes chip
Host key fingerprint is SHA256:t+Fezp77iCm+q87ep+vjs/eHIx5ODrgDzIskla4Bx+U
+---[RSA 2048]----+
|                 |
|    .            |
| . +             |
|. = E            |
|.+ o    S o      |
|o o +  . o o     |
| = . o. . = ..   |
|. . ...o+*+Boo.  |
|     o**@&B+O=.  |
+----[SHA256]-----+

and I’m good to go…

Hope this helps somebody other than myself. 😀