|
| 1 | +--- |
| 2 | +title: OpenSSH Client Can't Connect To a Server via SSH |
| 3 | +description: Addresses multiple common causes and solutions when encountering OpenSSH connection errors related to host key algorithm mismatches on Windows systems. |
| 4 | +ms.date: 09/16/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika, warrenw, v-lianna |
| 9 | +ms.custom: |
| 10 | +- sap:system management components\openssh (including sftp) |
| 11 | +- pcy:WinComm User Experience |
| 12 | +--- |
| 13 | +# OpenSSH client can't connect to a server via SSH: "no matching host key type found" errors |
| 14 | + |
| 15 | +This article addresses multiple common causes and solutions when encountering OpenSSH connection errors related to host key algorithm mismatches on Windows systems. |
| 16 | + |
| 17 | +When you connect to a server via Secure Shell (SSH), you might encounter errors such as: |
| 18 | + |
| 19 | +- > Unable to negotiate with \<server\>: no matching host key type found. |
| 20 | +- > Host key algorithm: (no match) |
| 21 | +- > Permission denied (publickey). |
| 22 | +- > Server refused our key. |
| 23 | +
|
| 24 | +These errors typically indicate mismatches in supported algorithms, permissions issues, or security concerns. |
| 25 | + |
| 26 | +## Cause 1: RSA algorithm disabled in updated OpenSSH versions |
| 27 | + |
| 28 | +OpenSSH 8.8 and later versions disable the insecure `ssh-rsa` algorithm by default, causing legacy clients dependent on RSA keys to fail connection attempts. |
| 29 | + |
| 30 | +### Resolution |
| 31 | + |
| 32 | +1. Back up the existing configuration: |
| 33 | + |
| 34 | + ```powershell |
| 35 | + Copy-Item "C:\ProgramData\ssh\sshd_config" "C:\ProgramData\ssh\sshd_config.bak" |
| 36 | + ``` |
| 37 | +
|
| 38 | +2. Modify the **sshd_config** file: |
| 39 | +
|
| 40 | + 1. Open Notepad as administrator. |
| 41 | + 2. Use the following command to open the **sshd_config** file: |
| 42 | +
|
| 43 | + ```console |
| 44 | + notepad "C:\ProgramData\ssh\sshd_config" |
| 45 | + ``` |
| 46 | +
|
| 47 | + 3. Add the following lines to the end of the file: |
| 48 | +
|
| 49 | + ```output |
| 50 | + PubkeyAcceptedAlgorithms +ssh-rsa |
| 51 | + HostKeyAlgorithms +ssh-rsa |
| 52 | + ``` |
| 53 | +
|
| 54 | +3. Restart the OpenSSH service: |
| 55 | +
|
| 56 | + ```powershell |
| 57 | + Restart-Service sshd |
| 58 | + ``` |
| 59 | +
|
| 60 | +4. Verify the SSH connection: |
| 61 | +
|
| 62 | + ```powershell |
| 63 | + |
| 64 | + ``` |
| 65 | +
|
| 66 | +## Cause 2: Missing or incorrect authorized_keys file or improper file permissions |
| 67 | +
|
| 68 | +Connection failures occur due to missing or incorrect **authorized_keys** file or improper file permissions, generating "Permission denied" errors. |
| 69 | +
|
| 70 | +### Resolution |
| 71 | +
|
| 72 | +1. Ensure the **authorized_keys** file exists: |
| 73 | +
|
| 74 | + File path: |
| 75 | + **C:\ProgramData\\ssh\\administrators_authorized_keys** |
| 76 | +
|
| 77 | + Place your public keys correctly in this file. |
| 78 | +2. Correct file permissions: |
| 79 | +
|
| 80 | + Ensure only administrators have write permissions to the file: |
| 81 | +
|
| 82 | + ```console |
| 83 | + icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" |
| 84 | + ``` |
| 85 | +
|
| 86 | +3. Restart the OpenSSH service: |
| 87 | +
|
| 88 | + ```console |
| 89 | + net stop sshd |
| 90 | + net start sshd |
| 91 | + ``` |
| 92 | +
|
| 93 | +## Cause 3: Private keys stored in the registry persist across sessions causing security risks |
| 94 | +
|
| 95 | +Private keys stored by OpenSSH's ssh-agent service persist across sessions in the Windows registry, potentially causing security risks. |
| 96 | +
|
| 97 | +### Resolution |
| 98 | +
|
| 99 | +- Use strong encryption and passphrases when generating private keys. |
| 100 | +- Limit registry access through user permissions. |
| 101 | +- Regularly update OpenSSH from official sources (for example, GitHub). |
| 102 | +- Regularly audit registry entries and clear sensitive keys when not needed. |
| 103 | +
|
| 104 | +### Optional registry adjustments |
| 105 | +
|
| 106 | +Manage RSA keys securely via registry policies: |
| 107 | +
|
| 108 | +```powershell |
| 109 | +Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\SSH-Server' -Name AllowRSAKey -Value 1 -Type DWORD |
| 110 | +Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\SSH-Server\Parameters' -Name AllowRSAKey -Value 1 -Type DWORD |
| 111 | +``` |
| 112 | + |
| 113 | +### Recommended general security practices |
| 114 | + |
| 115 | +- Secure user accounts and maintain strict file permissions. |
| 116 | +- Regularly update OpenSSH to include latest security patches. |
| 117 | +- Use stronger algorithms such as ED25519 or ECDSA where possible. |
| 118 | +- Educate users on secure key management practices. |
| 119 | + |
| 120 | +## Troubleshooting logs and diagnostics |
| 121 | + |
| 122 | +To gather detailed debugging logs during connection attempts, use the verbose SSH command: |
| 123 | + |
| 124 | +```console |
| 125 | +ssh -vvv user@hostname |
| 126 | +``` |
| 127 | + |
| 128 | +Analyze logs collected from both working and nonworking environments to identify configuration differences. |
| 129 | + |
| 130 | +## Next steps |
| 131 | + |
| 132 | +- Identify and inventory legacy clients still requiring weaker algorithms like `ssh-rsa`. |
| 133 | +- Implement a scheduled upgrade strategy to migrate these clients to stronger algorithms. |
| 134 | +- After resolving compatibility issues, remove temporary algorithm overrides from **sshd_config**. |
| 135 | +- Replace legacy RSA keys with stronger keys (minimum 3072-bit RSA or ED25519). |
| 136 | + |
| 137 | +## References |
| 138 | + |
| 139 | +- [Key-based authentication in OpenSSH for Windows](/windows-server/administration/openssh/openssh_keymanagement) |
| 140 | +- [OpenSSH 8.8 Release Notes (RSA deprecation)](https://www.openssh.com/txt/release-8.8) |
0 commit comments