Re: lftp: can no longer connect with sftp (no matching host key type found)

[Russ Allbery <rra@debian.org>]

Vincent Lefevre <vincent@vinc17.net> writes:
> On 2015-12-06 16:48:35 +0100, Vincent Lefevre wrote:

>> Package: lftp
>> Version: 4.6.3a-1+b1
>> Severity: grave
>> Justification: renders package unusable
>> 
>> After a system upgrade, lftp can no longer connect with sftp.
>> When I type "dir", I get the error:
>> 
>> `ls' at 0 [Unable to negotiate with 192.168.1.4: no matching host key type found. Their offer: ssh-dss]
>> 
>> 4 days ago, I had no problems.

> The problem actually comes from openssh-client (on which lftp has
> no dependencies!).

> First, the error is surprising because I was just using an IP address,
> for which host key checking doesn't make much sense. But even if I set
> both CheckHostIP and StrictHostKeyChecking to "no", I get the error!

I think Colin is still working on making sure this change is visible
enough to everyone it affects, but see the changelog in openssh-client:

    - Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
      default at run-time.  These may be re-enabled using the instructions
      at http://www.openssh.com/legacy.html

It sounds like the remote host to which you're trying to connect only
offers ssh-dss keys, which are no longer supported by default (following
upstream) because they're not very secure.

This is unrelated to host key checking or IP checking.  It's about the
type of underlying crypto being used to secure the connection.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>