SSH - HostKeyAlgorythm

Latest SSH package (released July 1) was just installed on my little laptop, and now chokes on these lines that I have in my .ssh/config for two bits of vintage hardware (non-upgradable, with built-in ssh both from 2008).

    HostKeyAlgorithms=+ssh-dss – This notes that the change is a new compile-time default, but not yet mandatory. My question is, was the exclusion of this a Distribution level choice, OR was it just accepted default without making a choice?

Like, if I wait a few weeks and the default build will be changed to re-include this, I’ll wait patiently, BUT, if not, I’ll start the work of re-compiling the package source myself (which I’m hesitant to do on the 12 year old MacBook Air I’m running).


I didn’t find anything by keword search for dss - but for dsa, which is going to be excluded.

If it is excluded (likely for … reasons) it will not be added again.
That is just my logic - I’m not a dev on this - not a dev at all even.

If it’s gone, it’s gone.

I have a few older OpenWRT routers where I needed to do:

HostKeyAlgorithms +ssh-rsa

because they don’t support the more modern algorithms


cat ./.ssh/config 
Host router
  User root
  HostKeyAlgorithms +ssh-rsa

is it maybe a syntax issue?

HostKeyAlgorithms +ssh-rsa

(an equal sign and no space in yours … no equal sign and a space in mine)

1 Like

I use the same .ssh/config on macOS, CentOS, Ubuntu, Debian. I’ll feel weird if I need to have a bespoke config just for Manjaro, but…

/home/gvollink/.ssh/config line xx: Bad key types ‘+ssh-dss’.

So the error is the same regardless of ’ ‘/’=’

my shared config example is actually from Mint (Debian/Ubuntu base - pick whatever you like :grinning:)
It is not from Manjaro.

Not special - just what I use and what works.
On “not Arch/Manjaro”.
But I’m sure it works there as well.

Te possible syntax issue was just a suggestion.
This is what works for me is all I’m saying.

Right, so I’ll assume that between the Manjaro version install image for ssh and this update to 9.8 it is, indeed “gone forever”. So, I’ll move on to compile my own then.

I do appreciate the feedback.

1 Like

To be honest, I was (re)searching rsa and dsa and dss - and could not find much on dss.

All insecure by todays standards - but old hardware/software might not be updatable.

If support for it is indeed removed and you still need it - you need to do what you said.

If … I have no way to test this nor have I (so far) found any info on it.

1 Like

You’ll be waiting forever. I need that key-type too; but, if Arch reverted back to including a depreciated key type, I’m done with it.

Actually, it’s depreciated for this release, it’s going to be removed altogether in 2025; this also details what you need to do to re-enable it for your use case.

I rebuilt it for the time being. But, I’m going to go on a shopping spree soon.

Oh, and a bit of IMO: anyone who takes the easy way out and gets a re-enabled openssh package from the AUR is an absolute idiot.