Fixing DigitalOcean Web Console Connection Errors


1 min read

After performing SSH hardening on my CentOS server (hosted on DigitalOcean) the DO web console becomes inaccessible. After some trial and error, I found the required SSHD configurations to make it work (at the expense of some security risks).

Handshake failed: no matching host key format

Log from /var/log/secure:

sshd[6810]: Unable to negotiate with <IP_ADDR> port <PORT_NUM>: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa [preauth]

DO web console does not support ED25519. Solution is to enable either ECDSA or RSA HostKey.

Handshake failed: no matching client->server HMAC

The following error messages are captured in /var/log/secure.

This is due to HostKey config:

Unable to negotiate with <IP_ADDR> port <PORT_NUM>: no matching key exchange method found. Their offer: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]

This is due to MACs config:

Unable to negotiate with port 10622: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160, [preauth]

Solution is to update SSHD configurations (e.g. /etc/ssh/sshd_config):

  • Append diffie-hellman-group-exchange-sha256 to KexAlgorithms

  • Append hmac-sha2-512 to MACs