The case of the missing SSH keys

I built a couple of new Solaris 10 hosts today using a stripped down image, and was greeted with the following error when I tried to log in:

$ ssh 192.168.1.20
Unable to negotiate a key exchange method

The server was spitting out “no kex alg” errors, which appear to be due to key exchange issues. I poked around my sshd_config file, and for some reason the host host keys weren’t generated when the ssh service initialized. To fix this, I ran the ssh service with the -c option (this generated the RSA and DSA host keys):

$ /lib/svc/method/sshd -c

added the host keys to my sshd configuration file:

# Paths to host keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

And then ran ‘svcadm refresh ssh’ to restart the service. Once that completed, I was able to login to the host. Nice!

4 thoughts on “The case of the missing SSH keys”

  1. Thank you, you rescued my *** (sleep).
    In an attempt to clean up my sshd_config I removed all lines that had the default values – according to the man page. Turns out the man page was wrong with regards to “HostKey” :-S

  2. Also, if cloning a Solaris container and you need to generate new ssh keys for the container/host, make sure you leave the passphrases EMPTY or you’ll get the same error message “no key alg”. Check ‘man ssh-keygen’ to confirm.

    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

    that took me about 45 minutes to correct after putting in passphrases.

  3. Haha, this problem also plagued me a long time.
    Many people suggest to modify parameters ciphers and KexAlgorithms in the file /etc/ssh/sshd_config
    But in fact, due to the server security reinforcement, no longer support some ciphers and KexAlgorithms.
    For example: diffie-hellman-group1-sha1 is widely used, but not security enough

    If the older ssh client does not support these algorithms, an error occurs: no hex alg
    For example: Sun_SSH_1.1
    Quickly upgrade the client ssh!!
    Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *