Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
idabouzi
Staff
Staff

Created on ‎09-24-2024 07:45 AM Edited on ‎09-24-2024 07:51 AM By Moderator

Article Id 343847

Technical Tip: How to fix the error 'Unable to negotiate with _IP_ADDRESS_ port 22: no matching host key type found. Their offer: cipher'

 

Description This article describes the steps to add a missing cipher to establish an SSH connection.
Scope FortiSIEM configuration.
Solution

In FortiSIEM, it is possible to face this error when trying to connect to devices, when applying remediation scripts via SSH.

This error happens while the encrypted channel is being set up. If FortiSIEM and the remote system do not share at least one cipher, there is no cipher to agree on and no encrypted channel is possible.


Below is an example where the 'ssh-ed25519' cipher is not available to connect to 10.0.1.254:


[root@siem ~]# ssh adm_user@10.0.1.254
Unable to negotiate with 10.0.1.254 port 22: no matching host key type found. Their offer: ssh-ed25519


To avoid making a global change to solve a local problem, it is possible to put the cipher in a Host in /etc/ssh/ssh_config:


Host <Host_IP>
HostKeyAlgorithms +<cipher>

 

  • First, backup the current configuration in ssh_config:

cp -rp /etc/ssh/ssh_config /etc/ssh/ssh_config.bkp

 

  • Update ssh_config file:

vi /etc/ssh/ssh_config

 

  • Add the following:

Host 10.0.1.254
HostKeyAlgorithms +ssh-ed25519

 

  • Save the file.

 

  • Restart the sshd service:

systemctl restart sshd.service

 

100
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.