Can't bootstrap node with knife due to ssh issue


Knife can't bootstrap a node with an error below:
$ knife bootstrap -x chefclient -p 22 -i /home/chefclient/.ssh/id_rsa -N node name -E environment --sudo --bootstrap-version '12.7.2' --run-list zulu_jdk
Doing old-style registration with the validation key at /home/chefclient/.chef/validator.pem...
Delete your validation key in order to use your user credentials instead

Connecting to
ERROR: Net::SSH::Exception: could not settle on host_key algorithm

However I can connect to the node using ssh
$ ssh node name
Last login: Thu Jul 27 05:43:00 2023 from

The secure log on node:
using knife:
sshd[24887]: Unable to negotiate with chef workstation port 37536: no matching host key type found. Their offer: [preauth]

using ssh directly:
Accepted publickey for chefclient from chef workstation port 44792 ssh2: RSA SHA256:******

is this for a rhel 9+ or ubuntu 22.04+ or similar variant? If so you may need to upgrade your chef-workstation to a newer version that includes chef-client 18.x+ for the updated net::ssh gem that supports the new ssh key crypto algorithms.

The OS is Oracle Linux 8. chef-client version is 12.7.2
net-ssh (7.1.0, 6.1.0, 4.2.0)

Is there any syntax change in cookbook if I upgrade chef to higher version?

Is there any way to force knife using a similar option as in ssh?
ssh -i key.pem shell@... -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa

OL 8 shouldn't have an ssh algorithm problem. In 9+ is when they removed old deprecated ssh-rsa with less than 2048bits which broke many users ssh keys they have been using for a long time.

Upgrading from chef-client 12 to newer version does have a lot of changes in cookbooks mostly around custom resources. I'd upgrade workstation to latest and run cookstyle to test for any broken patterns that changed.

Unfortunately from the client side you can't force the server to accept specific algorithms. That command you gave as an example would only affect the client side. It'd need to be configured on the server if it's blocking specific algorithms.

It is solved by adding following to .ssh/config

Host *

There is no '+' before ssh