After performing SSH hardening on my CentOS server (hosted on DigitalOcean) the DO web console becomes inaccessible. After some trial and error, I found the required SSHD configurations to make it work (at the expense of some security risks).
Handshake failed: no matching host key format
Log from /var/log/secure:
sshd[6810]: Unable to negotiate with <IP_ADDR> port <PORT_NUM>: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa [preauth]
DO web console does not support ED25519. Solution is to enable either ECDSA or RSA HostKey
.
Handshake failed: no matching client->server HMAC
The following error messages are captured in /var/log/secure.
This is due to HostKey
config:
Unable to negotiate with <IP_ADDR> port <PORT_NUM>: no matching key exchange method found. Their offer: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
This is due to MACs
config:
Unable to negotiate with 180.101.88.252 port 10622: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com [preauth]
Solution is to update SSHD configurations (e.g. /etc/ssh/sshd_config):
Append
diffie-hellman-group-exchange-sha256
toKexAlgorithms
Append
hmac-sha2-512
toMACs