Why can I not login to a new linux system (amazon linux 2023) from an old one (CentOS 6)

Question

I try to connect from an old centos 6 system to a "brand new" AWS linux 2023 in ssh and I have an error "no hostkey alg".

From the AWS docummentation, on AWS linux 2023, ssh-rsa keys are disabled, but we can authorize them (https://docs.aws.amazon.com/linux/al2023/ug/ssh-host-keys-disabled.html), so that is done.

(dnf install crypto-policies-scripts)

(update-crypto-policies --set LEGACY)

(reboot)

But despite of enabling ssh-rsa keys, I still get this annoying "no hostkey alg" error.

ssh-rsa and [email protected] are listed in server sshd configuration :

[user@server ~]# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\|hostkeyalgorithms\|pubkeyacceptedalgorithms\)"

gssapikexalgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
ciphers [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc,3des-cbc
macs [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
hostkeyalgorithms ecdsa-sha2-nistp256,[email protected],[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected],ssh-dss,[email protected]
pubkeyacceptedalgorithms ecdsa-sha2-nistp256,[email protected],[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected],ssh-dss,[email protected]

What I cannot understand is on the server sshd logs, there is only two host key types sent to the client, and the offered key type from the client is well listed in the server conf ([email protected]) ?

sshd[3161]: debug1: list_hostkey_types: ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Unable to negotiate with XXX.XXX.XXX.XXX port 35848: no matching host key type found. Their offer: [email protected],>

Here are the complete logs

Client error message (on the old centos) :

[user@client ~]$ ssh -vvv user@FOOBAR
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/user/.ssh/config
debug1: Applying options for FOOBAR
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXX.XXX.XXX.XXX [XXX.XXX.XXX.XXX] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/private.key type -1
debug1: identity file /home/user/.ssh/private.key-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 864 bytes for a total of 885
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected]
debug2: kex_parse_kexinit: hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,[email protected]
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc,3des-cbc
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg

sshd server logs (the new amazon linux 2023) :

sshd[3161]: debug1: Set /proc/self/oom_score_adj to 0
sshd[3161]: debug1: rexec start in 8 out 8 newsock 8 pipe 10 sock 11
sshd[3161]: debug1: inetd sockets after dupping: 5, 5
sshd[3161]: Connection from XXX.XXX.XXX.XXX port 35848 on XXX.XXX.XXX.XXX port 22 rdomain ""
sshd[3161]: debug1: Local version string SSH-2.0-OpenSSH_8.7
sshd[3161]: debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
sshd[3161]: debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
sshd[3161]: debug1: permanently_set_uid: 74/74 [preauth]
sshd[3161]: debug1: list_hostkey_types: ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
sshd[3161]: debug1: SSH2_MSG_KEXINIT sent [preauth]
sshd[3161]: debug1: SSH2_MSG_KEXINIT received [preauth]
sshd[3161]: debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 [preauth]
sshd[3161]: debug1: kex: host key algorithm: (no match) [preauth]
sshd[3161]: Unable to negotiate with XXX.XXX.XXX.XXX port 35848: no matching host key type found. Their offer: [email protected],>
sshd[3161]: debug1: do_cleanup [preauth]

Any ideas ?