Header

Troubleshooting SSH Connection Issues with AlmaLinux in DeployHQ

This guide will help you resolve a common issue where you might be unable to connect to your AlmaLinux server via SSH, particularly when initiating the connection from older Linux distributions.

Symptoms Symptoms

You might encounter the following when trying to connect to your AlmaLinux server:

  • SSH connection attempts fail or timeout.
  • You receive error messages related to key exchange algorithms or no matching host key type.
  • Connections from newer systems might work, while connections from older systems consistently fail.

Cause ️

AlmaLinux, especially newer versions like AlmaLinux 9, comes with updated system-wide cryptographic policies. These policies define the set of allowed cryptographic algorithms and protocols for secure communications, including SSH. By default, some older, less secure algorithms (like those relying on SHA-1 for certain operations) might be disabled.

If the SSH client on your local machine or your DeployHQ environment is using an older Linux distribution, it might be trying to negotiate the SSH connection using an algorithm that your AlmaLinux server no longer permits by default. This mismatch in allowed cryptographic algorithms is a common reason for SSH connection failures.

Resolution ✅

The recommended solution involves adjusting the cryptographic policies on your AlmaLinux server to allow for a broader range of algorithms, including SHA-1 for specific necessary functions, which can restore compatibility with older SSH clients.

Important: While this solution enables broader compatibility, be aware that SHA-1 is considered cryptographically weaker than newer algorithms. Evaluate the security implications for your specific environment. For DeployHQ, ensure your deployment environment itself is up-to-date for optimal security.

Follow these steps on your AlmaLinux server:

1- Log in to your AlmaLinux server directly (e.g., via a console or a successful SSH connection from a compatible client).

2- Open a terminal and execute the following command with root privileges (e.g., using sudo):

sudo update-crypto-policies --set DEFAULT:SHA1

This command modifies the system's crypto policies to the DEFAULT profile while also enabling SHA-1 for specific algorithms where it might be required for compatibility.

3- Reboot your AlmaLinux server for the changes to take full effect:

sudo reboot

After your server has rebooted, attempt to connect via SSH from DeployHQ or your older Linux system again. The issue should now be resolved.

If you continue to experience problems, please ensure your DeployHQ project is correctly configured with the appropriate SSH keys and server details. You may also want to check the SSH logs on both the client and server (/var/log/secure or journalctl -u sshd on the AlmaLinux server) for more specific error messages.

Tree

Proudly powered by Katapult. Running on 100% renewable energy.