After the last upgrade I was not able to login in to my machine remotely using ssh.
Password authentication is disabled in the sshd_config file and I use keys to authenticate.
After this upgrade authentication did not work and there was the following error in the ssh log
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
After reading this post in the Digital Ocean blog I added the following to my sshd_config and it now works
PubkeyAcceptedAlgorithms=+ssh-rsa
No, but I have just looked at the Openssh 8.8 release notes and found the following: “This release disables RSA signatures using the SHA-1 hash algorithm
by default.”
Perhaps I need to update my keys. I generated them using Puttygen so I suspect this could affect a lot of people.
As this key type has been deemed to be not secure enough anymore it might be worth adding to the wiki a suggestion to change key types so as to keep the login process secure.
I just removed the line I added to sshd_config and recreated my keys using ED25519 and can now login again.
Thanks again! 
Looks spot on.
just a few thoughts:
ssh-rsa is not SHA1 and it does not use SHA1 eitherrsa is not unsafe per se:
ed25519 is considered as of similar difficulty as an rsa key of ~3000 bits length, see http://ed25519.cr.yp.to/
edit: I’ve updated the wiki post.
I had an issue with OpenSSH update as reported in here: https://community.atlassian.com/t5/Bitbucket-questions/OpenSSH-8-7-and-ssh-rsa-host-key/qaq-p/1799373
That’s already in the wiki, first item here
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
A post was split to a new topic: Unable to access my remote git repository using ssh
Hi, after the update I have been unable to access my remote git repository using ssh. Tried regenerating the keys, didn’t work. It seems like ssh can’t see the key file after the update, doesn’t even ask for the passphrase. This is the error:
Unable to negotiate with 40.74.28.0 port 22: no matching host key type found. Their offer: ssh-rsa fatal: Could not read from remote repository.
I used Timeshift to revert to a backup before the update, and everything works normally.
Does anyone know what could be causing this issue?
shh config file:
Host ssh.dev.azure.com
HostName ssh.dev.azure.com
User git
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
PubkeyAcceptedKeyTypes=ssh-rsa
Generating new keys is most likely not an option at this moment. Hosts are currently only supporting ssh-rsa and according to Atlassian, they are working on rsa-sha2-256 and rsa-sha2-512 implementations. ed25519 will most likely not be supported anytime soon.
For a temporary workaround, only adding PubkeyAcceptedAlgorithms +ssh-rsa is not enough, HostkeyAlgorithms +ssh-rsa is also required.
Atlassian post: OpenSSH 8.8 client incompatibility and workaround - Atlassian Community
At the moment of writing, I know that Azure and Bitbucket git repositories have this problem, not sure about other hosts
Final ~/.ssh/config that worked for me:
Host ssh.dev.azure.com
HostName ssh.dev.azure.com
User git
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
My solution was creating ~/.ssh/config like this this:
Host bitbucket.org
HostName bitbucket.org
User git
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
Issue opening the KDEConnect created Device filesystem in Dolphin (KDE) for my cell… multiple notifications triggered saying Error when accessing filesystem. sshfs finished with exit code 1
Found temp solution (work around) @ [SOLVED] kdeconnect no longer exposes filesystem on android phone / Newbie Corner / Arch Linux Forums
According to what I read, the openssh 8.8p1-1 installed with this update release is involved with the issue, and was worked around by downgrading to the previous openssh 8.7p1-2 with the following command (assumes you are locally caching previous package versions via pamac)…
$ sudo pacman -U /var/cache/pacman/pkg/openssh-8.7p1-2-x86_64.pkg.tar.zst
The issue eventually needs to be addessed by KDEConnect and is recorded/tracked @ 443155 – kdeconnect breaks when openssh is upgraded to version 8.8p1-1
One of the contributors there mentioned that (I assume related to openssh 8.8p1-1)…
“This release disables RSA signatures using the SHA-1 hash algorithm by default.”
So this suggests that an alternative “work around” may be to follow the Lazy Solution found in the Unable to login in remotely using ssh using rsa keys known issue for this update (which I have not tried)… as I assume the “Good Solution” can only be found in an updated version of KDEConnect.
EDIT: My issue was resolved by the newly released KDEConnect 21.08.2-1 and sshfs 3.7.2-2 (Pahvo 21.1.6 release) which are all playing together nicely with openssh 8.8p1-1.