SSH connection not working (userauth_pubkey: key type ssh-rsa not in Pubkey Accepted Algorithms [preauth])

Written by - 0 comments

Published on - last updated on May 16th 2023 - Listed in Linux Ubuntu Security

Note: There are also Ubuntu 22.04 SSH connection issues using PuTTY as SSH client, which are related to the Ubuntu upgrade but can be solved differently.

After upgrading to Ubuntu 22.04, there have been some configuration changes. One of these changes is to disable the ssh-rsa key with SHA-1 hash algorithm as accepted public key type in the SSH server. From the OpenSSH changelog:

This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken [...] For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.

SSH login not possible:  key type ssh-rsa not in Pubkey Accepted Algorithms

While this isn't obvious at all, users with such a key won't be able to log in into a Ubuntu 22.04 system. On the SSH server side, the following log entries can be spotted in /var/log/auth.log:

May 16 11:17:44 jammy sshd[3456924]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
May 16 11:17:44 jammy sshd[3456924]: Received disconnect from port 59008:11: Client disconnecting normally [preauth]
May 16 11:17:44 jammy sshd[3456924]: Disconnected from authenticating user developer port 59008 [preauth]

By default, the SSH server config does not contain an option PubkeyAcceptedAlgorithms. It can however be added and allow this key type again:

root@jammy:~# vi /etc/ssh/sshd_config
root@jammy:~# grep PubkeyAcceptedAlgorithms /etc/ssh/sshd_config
PubkeyAcceptedAlgorithms +ssh-rsa
root@jammy:~# systemctl restart sshd

After this, the user in question was able to log in again:

May 16 11:21:26 jammy sshd[3460828]: Accepted publickey for developer from port 59029 ssh2: RSA SHA256:SsWBsiqei01D0DFKaPFpgO4MJNWAa64ydalCPyhfbdA
May 16 11:21:26 jammy sshd[3460828]: pam_unix(sshd:session): session opened for user developer(uid=915) by (uid=0)
May 16 11:21:26 jammy systemd-logind[793]: New session 11761 of user developer.
May 16 11:21:26 jammy systemd: pam_unix(systemd-user:session): session opened for user developer(uid=915) by (uid=0)

Is my key affected?

To check whether or not your key pair is affected, you can list the algorithm of your private key:

ck@local ~ $ ssh-keygen -l -f .ssh/id_rsa
2048 SHA256:3[...] (RSA)

In this case you can see SHA256 is used, which should be fine. If SHA or SHA1 is mentioned then your key is definitely outdated and should be replaced (ssh-rsa added to PubkeyAcceptedAlgorithms as mentioned above).

Proper solution: Create and use newer keys

As a (safer) alternative, newer SSH keys can be generated and used for the connection. For example using a SSH key type ed25519 works out of the box.

The key pair can be created using ssh-keygen with the -t (for type) parameter:

ck@local:~# ssh-keygen -t ed25519 -C "My fancy new SSH key"

Obviously the public key then needs to be deployed to the remote SSH server.

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.