I have a Debian Jessie Server and I would like to verify the fingerprint of the ssh keys on the server about a DNS SSHFP record. This works fine, but if a client connect over ssh to the server, the server provide the ssh-ecdsa algorithm. I'd like to configure the ssh daemon that only ssh-ed25519 and ssh-rsa are the supported algorithms. For Ubuntu 16.04 I works with the ssh config key HostKeyAlgorithms but if I use this key on Debian, I can't start the daemon.
Why the daemon don't support this configure key or must I use an other configure key to support only ssh-ed25519 and ssh-rsa algorithms?
Here my sshd_config
AcceptEnv LANG LC_*
AuthorizedKeysFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#HostKeyAlgorithms ssh-ed25519,ssh-rsa
KeyRegenerationInterval 3600
LoginGraceTime 120
LogLevel INFO
MaxAuthTries 10
MaxSessions 5
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin without-password
Port 22
PrintMotd no
PrintLastLog no
Protocol 2
RSAAuthentication no
PubkeyAuthentication yes
ServerKeyBits 4096
StrictModes yes
SyslogFacility AUTH
RhostsRSAAuthentication no
Subsystem sftp /usr/lib/openssh/sftp-server
TCPKeepAlive yes
UsePAM no
UsePrivilegeSeparation yes
Best Answer
HostKeyAlgorithmsis not implemented in OpenSSH 6.7p1, which is available in Debian Jessie.If you remove the respective key from the configuration
HostKey, it will not be offered by the server (the following lines):