I was running Ubuntu 20.04 happily, and then over the weekend decided to back everything up and install 22.04. I installed my previous keys but I couldn’t login via MobaXTerm remotely as I usually did with 20.04.
I logged in with a console and checked /var/log/auth.log . Here are the messages generated upon my tries to log in:
|
1 2 3 |
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth] Aug 26 06:37:05 ip-172-31-27-21 sshd[1750502]: error: Received disconnect from 209.158.53.89 port 9085:14: No supported authentication methods available [preauth] Aug 26 06:37:05 ip-172-31-27-21 sshd[1750502]: Disconnected from authenticating user ubuntu 209.158.53.89 port 9085 [preauth] |
The root cause of this error “key type ssh-rsa not in pubkey accepted algorithms” is that ssh-rsa key considered not safe anymore.
The RSA SHA-1 hash algorithm is being quickly deprecated across operating systems and SSH clients because of various security vulnerabilities, with many of these technologies now outright denying the use of this algorithm.
It seems this has happened for the ssh client in Ubuntu 22.04. The RSA public-private key pair is considered not safe any more.
Solution
Use a more modern and secure type of key such as ed25519. Generate a new key pair in your Ubuntu 22.04 computer with this command:
|
1 |
ssh-keygen -t ed25519 -C "colin@colin-desktop" |
Note: the string after -C is a comment it is customary to put your email address here. Since you may only be using this key within your home, putting the email address may not make sense. I would put something like “colin@colin-desktop” so that you know which user and computer the key belongs to within your household.
Alternately you may create a new RSA key with SHA2 hashing like so:
|
1 |
ssh-keygen -t rsa-sha2-512 -b 4096 |
Either way you will need to use the ssh-copy-id command again:
|
1 |
ssh-copy-id root@xxx.xxx.xxx.xxx |
This command will recognize there is a new public key and copy the new key to the /root/.ssh/authorized_keys file.
It should work now.
A Remote Server Workaround
If you can’t change anything on the local computer, or don’t want to use a new key, and want to re-enable RSA on the local computer, edit the file /etc/ssh/sshd_config on the remote computer and add this line:
|
1 |
PubkeyAcceptedKeyTypes +ssh-rsa |
This will allow the use of unsafe RSA key you already have.
Remember to restart the sshd service by:
|
1 |
sudo systemctl restart sshd |
Otherwise you will have to restart your computer to make the change take effect.
More information
- SSH-RSA key rejected with message “no mutual signature algorithm”
- OpenSSH 8.3 released (and ssh-rsa deprecation notice)
