SSH connection not working (userauth_pubkey: key type ssh-rsa not in Pubkey Accepted Algorithms [preauth])

Written by - 0 comments

Published on - last updated on May 16th 2023 - Listed in Linux Ubuntu Security


Note: There are also Ubuntu 22.04 SSH connection issues using PuTTY as SSH client, which are related to the Ubuntu upgrade but can be solved differently.

After upgrading to Ubuntu 22.04, there have been some configuration changes. One of these changes is to disable the ssh-rsa key with SHA-1 hash algorithm as accepted public key type in the SSH server. From the OpenSSH changelog:

This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken [...] For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.

SSH login not possible:  key type ssh-rsa not in Pubkey Accepted Algorithms

While this isn't obvious at all, users with such a key won't be able to log in into a Ubuntu 22.04 system. On the SSH server side, the following log entries can be spotted in /var/log/auth.log:

May 16 11:17:44 jammy sshd[3456924]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
May 16 11:17:44 jammy sshd[3456924]: Received disconnect from 10.150.42.108 port 59008:11: Client disconnecting normally [preauth]
May 16 11:17:44 jammy sshd[3456924]: Disconnected from authenticating user developer 10.150.42.108 port 59008 [preauth]

By default, the SSH server config does not contain an option PubkeyAcceptedAlgorithms. It can however be added and allow this key type again:

root@jammy:~# vi /etc/ssh/sshd_config
root@jammy:~# grep PubkeyAcceptedAlgorithms /etc/ssh/sshd_config
PubkeyAcceptedAlgorithms +ssh-rsa
root@jammy:~# systemctl restart sshd

After this, the user in question was able to log in again:

May 16 11:21:26 jammy sshd[3460828]: Accepted publickey for developer from 10.150.42.108 port 59029 ssh2: RSA SHA256:SsWBsiqei01D0DFKaPFpgO4MJNWAa64ydalCPyhfbdA
May 16 11:21:26 jammy sshd[3460828]: pam_unix(sshd:session): session opened for user developer(uid=915) by (uid=0)
May 16 11:21:26 jammy systemd-logind[793]: New session 11761 of user developer.
May 16 11:21:26 jammy systemd: pam_unix(systemd-user:session): session opened for user developer(uid=915) by (uid=0)

Is my key affected?

To check whether or not your key pair is affected, you can list the algorithm of your private key:

ck@local ~ $ ssh-keygen -l -f .ssh/id_rsa
2048 SHA256:3[...] ck@claudiokuenzler.com (RSA)

In this case you can see SHA256 is used, which should be fine. If SHA or SHA1 is mentioned then your key is definitely outdated and should be replaced (ssh-rsa added to PubkeyAcceptedAlgorithms as mentioned above).

Proper solution: Create and use newer keys

As a (safer) alternative, newer SSH keys can be generated and used for the connection. For example using a SSH key type ed25519 works out of the box.

The key pair can be created using ssh-keygen with the -t (for type) parameter:

ck@local:~# ssh-keygen -t ed25519 -C "My fancy new SSH key"

Obviously the public key then needs to be deployed to the remote SSH server.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder   


Update cookies preferences