Unable to login in remotely using ssh using rsa keys after last update

After the last upgrade I was not able to login in to my machine remotely using ssh.

Password authentication is disabled in the sshd_config file and I use keys to authenticate.

After this upgrade authentication did not work and there was the following error in the ssh log

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

1 Like

Do you have any .pacnew files?

:thinking:

After reading this post in the Digital Ocean blog I added the following to my sshd_config and it now works

PubkeyAcceptedAlgorithms=+ssh-rsa

No, but I have just looked at the Openssh 8.8 release notes and found the following: “This release disables RSA signatures using the SHA-1 hash algorithm
by default.”

Perhaps I need to update my keys. I generated them using Puttygen so I suspect this could affect a lot of people.

4 Likes

Thank you for your feed-back!

Incorporated into the Known problems wiki of the current update.

:clap:

As this key type has been deemed to be not secure enough anymore it might be worth adding to the wiki a suggestion to change key types so as to keep the login process secure.

I just removed the line I added to sshd_config and recreated my keys using ED25519 and can now login again.

2 Likes

Thanks again! :grin:

  • Wiki post updated.
  • Please let me know if the current verbiage is good enough

:bowing_man:

Looks spot on.
:+1:

1 Like

just a few thoughts:

  • ssh-rsa is not SHA1 and it does not use SHA1 either
  • rsa is not unsafe per se:
    • “short” keys could be broken with technology available today
    • “long” keys are reasonably safe
    • breaking ed25519 is considered as of similar difficulty as an rsa key of ~3000 bits length, see http://ed25519.cr.yp.to/

edit: I’ve updated the wiki post.

1 Like

I had an issue with OpenSSH update as reported in here: https://community.atlassian.com/t5/Bitbucket-questions/OpenSSH-8-7-and-ssh-rsa-host-key/qaq-p/1799373

That’s already in the wiki, first item here

:bowing_man:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

A post was split to a new topic: Unable to access my remote git repository using ssh

Hi, after the update I have been unable to access my remote git repository using ssh. Tried regenerating the keys, didn’t work. It seems like ssh can’t see the key file after the update, doesn’t even ask for the passphrase. This is the error:

Unable to negotiate with 40.74.28.0 port 22: no matching host key type found. Their offer: ssh-rsa fatal: Could not read from remote repository.

I used Timeshift to revert to a backup before the update, and everything works normally.
Does anyone know what could be causing this issue?

shh config file:

Host ssh.dev.azure.com
    HostName ssh.dev.azure.com
    User git
    IdentityFile ~/.ssh/id_rsa
	IdentitiesOnly yes
	PubkeyAcceptedKeyTypes=ssh-rsa
1 Like

An update regarding git over ssh:

  • Generating new keys is most likely not an option at this moment. Hosts are currently only supporting ssh-rsa and according to Atlassian, they are working on rsa-sha2-256 and rsa-sha2-512 implementations. ed25519 will most likely not be supported anytime soon.

  • For a temporary workaround, only adding PubkeyAcceptedAlgorithms +ssh-rsa is not enough, HostkeyAlgorithms +ssh-rsa is also required.

  • Atlassian post: OpenSSH 8.8 client incompatibility and workaround - Atlassian Community

  • At the moment of writing, I know that Azure and Bitbucket git repositories have this problem, not sure about other hosts

Final ~/.ssh/config that worked for me:

Host ssh.dev.azure.com
    HostName ssh.dev.azure.com
    User git
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa
1 Like

My solution was creating ~/.ssh/config like this this:

Host bitbucket.org
    HostName bitbucket.org
    User git
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa
2 Likes

Issue opening the KDEConnect created Device filesystem in Dolphin (KDE) for my cell… multiple notifications triggered saying Error when accessing filesystem. sshfs finished with exit code 1

Found temp solution (work around) @ [SOLVED] kdeconnect no longer exposes filesystem on android phone / Newbie Corner / Arch Linux Forums

According to what I read, the openssh 8.8p1-1 installed with this update release is involved with the issue, and was worked around by downgrading to the previous openssh 8.7p1-2 with the following command (assumes you are locally caching previous package versions via pamac)…

$ sudo pacman -U /var/cache/pacman/pkg/openssh-8.7p1-2-x86_64.pkg.tar.zst

The issue eventually needs to be addessed by KDEConnect and is recorded/tracked @ 443155 – kdeconnect breaks when openssh is upgraded to version 8.8p1-1

One of the contributors there mentioned that (I assume related to openssh 8.8p1-1)…

“This release disables RSA signatures using the SHA-1 hash algorithm by default.”

So this suggests that an alternative “work around” may be to follow the Lazy Solution found in the Unable to login in remotely using ssh using rsa keys known issue for this update (which I have not tried)… as I assume the “Good Solution” can only be found in an updated version of KDEConnect.

EDIT: My issue was resolved by the newly released KDEConnect 21.08.2-1 and sshfs 3.7.2-2 (Pahvo 21.1.6 release) which are all playing together nicely with openssh 8.8p1-1.