SSHD: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com

Question

In short, I have a pipeline in GitLab CI that runs on an alpine:latest image. In the pipeline I run to install ssh:

apk update && apk upgrade && apk add --update openssh

And then I run an scp command:

scp -P $SSH_PORT $FILES $SSH_USER@$SSH_HOST:~/

Which fails with:

ssh: connect to host <host> port <port>: Connection refused
scp: Connection closed

And on the server I can see the log:

Unable to negotiate with <ip> port <port>: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth]
Unable to negotiate with <ip> port <port>: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth]

---

After researching and trying to understand how the whole process works, I tried adding the PubkeyAcceptedKeyTypes option in the scp command so that the client accepts the Host Key provided for authentication by the server:

scp -o 'PubkeyAcceptedKeyTypes=+sk-ssh-ed25519@openssh.com' -P $SSH_PORT $FILES $SSH_USER@$SSH_HOST:~/

But unfortunately nothing has changed.

Would anyone have any ideas?

Answer 1

I discovered that the connection was actually stopping at my firewall :P

EDIT 1:

How are you? So, in my case it happened like this... I use UFW and I had defined the following rule for SSH connections:

ufw limit <port>/tcp

Which basically allows routing incoming and outgoing to anywhere on that port via the TCP protocol. And that would be all this rule does if I had used allow instead of limit, the difference is that limit, in addition to doing what I explained, also starts blocking requests if there have been too many failed attempts.

That day I changed some settings on the server and forgot to apply these settings to the pipeline environment variables, which resulted in several failed requests. After I had everything configured correctly, UFW had already blocked requests to the SSH port.

If this is your case, just wait for the port blocking time to end or remove the rule and then apply it again.

NOTE: remember that UFW is a frontend for iptables

Answer 2

How was it blocked by a firewall? I am dealing exactly with the same thing after realoading some iptable rules and I can't figure out how it could be blocked if the server logs that key mismatch?