I upgraded my laptop to MacOS Sierra last night and then was greeted by a fun new error logging into an APIC:
MacBook-Pro:~ Carl$ ssh -l carl 220.127.116.11 Unable to negotiate with 18.104.22.168 port 22: no matching host key type found. Their offer: ssh-dss
Boo! Seems bad yeah? Well it is. Please see this lovely bug here. So more or less this is not impactful, just not so secure. OpenSSH 7.0 deprecated ssh-dss due to its “inherit weakness.” I am not all up to speed with fancy crypto stuff so I will just believe them. In the meantime, until ACI gets on the gravy train with newer/better key exchange algorithms I’ve still got to SSH to stuff. A quick jaunt around Google and the answer is pretty apparent, you can simply define the key exchange algorithm in your SSH line straight from your terminal like so:
MacBook-Pro:~ Carl$ ssh -oHostKeyAlgorithms=+ssh-dss -l carl 22.214.171.124
Kinda a PITA to type huh? If you want to be super lazy, you can edit your ssh config file to always use ssh-dss for a particular host (or * for all hosts if you are feeling frisky) like so:
Host 126.96.36.199 HostkeyAlgorithms +ssh-dss
That file may or may not exist for you, but should live in ~/.ssh/ – this should just use the ssh-dss algorithm as a last resort as far as I understand.
I’ll update this if I find anything else, or if newer versions of code support new algorithms. For what its worth this was tested on ACI 2.0(1o) and macOS Sierra 10.12.