Issue:
Customer reported that they were not able to SSH to the vStream VM from the VOS node while running in FIPS/STIG-compliant mode.
Example error:
Branch-cli> ssh username root routing-instance JSR-Micro-Enterprise server 192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: rsa-sha2-512, rsa-sha2-256
Root cause:
In this flow, VOS is the SSH client and vStream is the SSH server. The vStream server only advertises RSA SHA-2 host key algorithms (rsa-sha2-512 and rsa-sha2-256). On the VOS node running in FIPS/STIG mode, the SSH client configuration may restrict HostKeyAlgorithms in /etc/ssh/ssh_config (or included configs) and not allow rsa-sha2-256 or rsa-sha2-512, causing negotiation to fail even though the SSH binary supports these algorithms.
Verification:
Check what signature algorithms the VOS SSH client supports:
ssh -Q sig
Expected to include rsa-sha2-256 and rsa-sha2-512.Check client-side HostKeyAlgorithms policy on VOS:
Review /etc/ssh/ssh_config and confirm whether HostKeyAlgorithms excludes rsa-sha2-256 and rsa-sha2-512.
Resolution / Workaround:
Option A (may impact STIG posture):
Add rsa-sha2-256 and rsa-sha2-512 to HostKeyAlgorithms in the VOS client configuration (/etc/ssh/ssh_config), then restart
SSH service:
sudo service ssh restart
Option B (preferred for strict STIG compliance):
Keep VOS client configuration unchanged and work with vStream to enable ECDSA-based host key algorithms on the server side (ecdsa-sha2-nistp256/384/521) so the server offers STIG-acceptable host key types.