I am testing the connection on command-line, using:
sftp -vvv firstname.lastname@example.org
debug2: resolving "example.com" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to example.com [example.com] port 22.
debug1: Connection established.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
ssh_exchange_identification: read: Connection reset by peer
(firewall dropped the connection)
Using an offsite VPN to the same connection:
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: (no match)
Unable to negotiate with example.com port 22: no matching host key type found. Their offer: ssh-dss
(successful connection, but wrong algo)
Adding the legacy SSH flag while on the offsite VPN (sftp -vvv -oHostKeyAlgorithms=+ssh-dss email@example.com) returns:
The authenticity of host 'example.com (example.com)' can't be established.
DSA key fingerprint is SHA256:snipped.
Are you sure you want to continue connecting (yes/no)?
My question is: By what method can I allow this legacy connection through Fortigate to example.com?
I am using Fortigate 310B