The SSH "no hostkey alg" error occurs when the SSH client and server cannot agree on a compatible host key algorithm. This typically happens when connecting older SSH clients to newer servers with strict algorithm policies.
When SSH establishes a connection, both the client and server exchange lists of supported algorithms for encryption, key exchange, and host key verification. The "no hostkey alg" error means there is no overlap between the client's accepted host key algorithms and the server's offered algorithms. This commonly occurs in two scenarios: 1. Older SSH clients trying to connect to newer OpenSSH servers (9.0+) that have disabled legacy algorithms like ssh-rsa 2. Newer clients connecting to very old servers that don't support modern algorithms like ssh-ed25519 or ECDSA The server refuses the connection rather than fall back to weaker, deprecated algorithms because modern OpenSSH disables SHA-1-based algorithms (ssh-rsa) by default for security reasons.
Run verbose SSH to see the mismatch:
ssh -vvv user@hostname 2>&1 | grep -A 5 "key_algorithms"This shows what the server offers and helps diagnose the specific algorithms in conflict. Look for lines like "server host key algorithms" vs "client host key algorithms".
Add legacy algorithms to your connection:
ssh -o HostKeyAlgorithms=+ssh-rsa user@hostnameOr add to ~/.ssh/config for persistent configuration:
Host specific-server
Hostname 192.168.1.100
User myuser
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsaThe + prefix appends to default algorithms instead of replacing them. This works but uses weaker SHA-1 hashing—only use as temporary workaround.
Edit /etc/ssh/sshd_config and add or modify the HostKeyAlgorithms line:
# Add strong modern algorithms
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256Then restart sshd:
sudo systemctl restart sshd
# or on some systems:
sudo service sshd restartThis maintains security while supporting both old and new clients. ssh-ed25519 and rsa-sha2-* variants use secure hash algorithms.
Check what host keys exist:
ls -la /etc/ssh/ssh_host_*If missing ed25519 or ecdsa keys, generate them:
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""
sudo systemctl restart sshdNew clients prefer ed25519 for both security and performance.
Check your SSH version:
ssh -VIf using OpenSSH < 6.5, update your SSH client:
# Ubuntu/Debian
sudo apt-get update && sudo apt-get install openssh-client
# macOS (via Homebrew)
brew install openssh
# CentOS/RHEL
sudo yum update openssh-clientsOlder clients lack support for modern algorithms—upgrading resolves this permanently.
Algorithm Explanation:
- ssh-ed25519: Modern elliptic curve algorithm (fastest, most secure). Introduced in OpenSSH 6.5 (2013).
- rsa-sha2-512/256: Traditional RSA with SHA-2 hashing (secure). Requires OpenSSH 7.2+ (2016).
- ssh-rsa (deprecated): Traditional RSA with SHA-1 (legacy). Disabled by default in OpenSSH 8.8+ (2021).
- ECDSA variants: Elliptic curve algorithms (ecdsa-sha2-nistp256/384/521). Middle-ground option for older systems.
On systems running in FIPS mode (crypto policy), some algorithms may be restricted—check with ssh -Q HostKeyAlgorithms.
For Amazon Linux 2023 specifically, use system crypto policies instead of editing sshd_config directly. Consult the AL2023 documentation for CryptographyPolicies updates.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH