Troubleshooting Tip: SSH error 'No matching host key type found. Their offer:'

Upon taking a packet capture, it may be seen that FortiGate did not send any host key-type proposal:

To diagnose SSH Key exchange issues on Fortigate, use the following debug commands:

diagnose debug console timestamp enable
diagnose debug application sshd -1
diagnose debug enable

The 'list_hostkey_types' is empty:

SSH: fd 7 is not O_NONBLOCK

SSH: Forked child 31816.

SSH: Client protocol version 2.0; client software version PuTTY_Release_0.68

SSH: no match: PuTTY_Release_0.68

SSH: Enabling compatibility mode for protocol 2.0

SSH: Local version string SSH-2.0-Nn0FjQVd-y

SSH: fd 7 setting O_NONBLOCK

SSH: Proposal: 0, Ciphers: 'diffie-hellman-group14-sha1'

SSH: Proposal: 2, Ciphers: 'chacha20-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com'

SSH: Proposal: 3, Ciphers: 'chacha20-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com'

SSH: Proposal: 4, Ciphers: 'hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com'

SSH: Proposal: 5, Ciphers: 'hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com'

SSH: list_hostkey_types:

This happens because the host key file may be deleted or corrupted during an update. It is possible to check by using the following command: 'fnsysctl ls -l /etc/ssh'.

In this case, the solution is regenerating SSH host keys by using the command 'execute ssh-regen-keys'.

After this, reconnect SSH and see if the connection is going through.

Related articles:

• Technical Tip: 'No matching key exchange found'
• Technical Tip: SSH key exchange troubleshooting
• Technical Tip: How SSH Server host key algorithms can be changed 
• Technical Tip: SSH Server host key offered by FortiGate