Technical Tip: Unable to SSH into the FortiSwitch from the FortiGate due to error 'No matching host key type found'

pprince · ‎06-06-2025

Description

This article describes how to handle a situation where SSH to the FortiSwitch is not possible and regenerating SSH host keys via ssh-regen-keys is the only option.

Remotely accessing the managed FortiSwitch requires SSH to the FortiSwitch from FortiGate's CLI.
SSH to the FortiSwitch from FortiGate is possible only when the SSH Server Host Key in the FortiSwitch OS is in compliance with that of the FortiGate and mutually supporting encryption algorithm types ECDSA, EdDSA, and RSA.
In some scenarios, while performing SSH to the FortSwitch from the FortiGate, the following error is seen:'No matching host key type found. Their offer: '.

Scope

All FortiSwitch models.

Solution

Since the FortiSwitch is managed on the FortiGate, enable telnet to the switch:

config switch-controller security-policy local-access

edit default

set mgmt-allowaccess ssh https ping telnet

set internal-allowaccess ssh https ping telnet

Telnet into the switch via the FortiGate CLI and regenerate SSH host keys using the below command:

FortiWiFi-80F-2R # execute telnet 10.255.1.3

S108EF5919xxxxxxx #execute ssh-regen-keys

Disable telnet for security purposes:

config switch-controller security-policy local-access

edit default

set mgmt-allowaccess ssh https ping

set internal-allowaccess ssh https ping

If the same issue is seen, log in to Fotiswitch via telnet and kill the sshd process.

fnsysctl killall sshd

Refer to Troubleshooting Tip: SSH error 'No matching host key type found. Their offer:'.

Technical Tip: Unable to SSH into the FortiSwitch from the FortiGate due to error 'No matching host key type found'

You are leaving our website