Blog O’ Matty

The case of the missing SSH keys

I built a couple of new Solaris 10 hosts today using a stripped down image, and was greeted with the following error when I tried to log in:

$ ssh 192.168.1.20
Unable to negotiate a key exchange method

The server was spitting out “no kex alg” errors, which appear to be due to key exchange issues. I poked around my sshd_config file, and for some reason the host host keys weren’t generated when the ssh service initialized. To fix this, I ran the ssh service with the -c option (this generated the RSA and DSA host keys):

$ /lib/svc/method/sshd -c

added the host keys to my sshd configuration file:

# Paths to host keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

And then ran ‘svcadm refresh ssh’ to restart the service. Once that completed, I was able to login to the host. Nice!

matty on March 22, 2009 | Filed Under Solaris Security

3 Comments

Claus Conrad on April 26th, 2009

Thank you, you rescued my *** (sleep).
In an attempt to clean up my sshd_config I removed all lines that had the default values – according to the man page. Turns out the man page was wrong with regards to “HostKey” :-S

chris on July 30th, 2009

Also, if cloning a Solaris container and you need to generate new ssh keys for the container/host, make sure you leave the passphrases EMPTY or you’ll get the same error message “no key alg”. Check ‘man ssh-keygen’ to confirm.

ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

that took me about 45 minutes to correct after putting in passphrases.