How to Rebuild OpenSSH (Resolving "No matching host key type found")

2025-21-01

On distros like Arch Linux you may have seen this error appear when trying to SSH into old servers. In my case I was trying to connect to my router (for very morally upstanding purposes). However I would receive this error.

You may have looked online and tried adding the "HostKeyAlgorithms" flag to no avail.

This error stems from the fact the older DSA signature algorithm used for negotiating is disabled at compile time starting from the 9.8 release. You can see this in the release document

To bring back this functionality we just need to recompile OpenSSH with DSA enabled.

First we're going to clone the OpenSSH-Portable repo from Github.

git clone https://github.com/openssh/openssh-portable.git
cd openssh-portable/
autoreconf

Next we'll run the configure script with a collection of arguments. Most of these arguments are from the PKGBUILD for OpenSSH however we're also going to add the "--enable-dsa-keys" option. This will bring back DSA signatures.

./configure --prefix=/usr \
  --sbindir=/usr/bin \
  --libexecdir=/usr/lib/ssh \
  --sysconfdir=/etc/ssh \
  --disable-strip \
  --with-libedit \
  --with-security-key-builtin \
  --with-ssl-engine \
  --with-pam \
  --with-privsep-user=nobody \
  --with-privsep-path=/usr/share/empty.sshd \
  --with-kerberos5=/usr \
  --with-xauth=/usr/bin/xauth \
  --with-pid-dir=/run \
  --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \
  --without-zlib-version-check \
  --enable-dsa-keys

make -j$(nproc) -l$(nproc + 1) 
sudo make install

Now you can SSH into whatever ancient box you want.