sshd: ssh-rsa algorithm is disabled [SOLVED]


SSH

Why are we getting "sshd: ssh-rsa algorithm is disabled" Error?

We recently upgraded our Base OS and there we starting facing this issue where all SSH connection via RSA Key started to fail with error "sshd: ssh-rsa algorithm is disabled".

sshd: ssh-rsa algorithm is disabled [SOLVED]

After researching about this error, I got to know that this is due to the recent updates from OpenSSH which have deprecated the use of the ssh-rsa signature algorithm due to security concerns related to the SHA-1 hash algorithm, which ssh-rsa relies on. SHA-1 has been found to be vulnerable to collision attacks, making it less secure compared to more modern algorithms.

OpenSSH officially announced the deprecation of the ssh-rsa algorithm in its release notes, starting from version 8.2. The official OpenSSH release notes provide details on this change.

In this tutorial we will explore different methods to come out of this situation, you may choose appropriate method based on your security requirement.

 

Solution 1: Chose alternative of ssh-rsa Key

To maintain secure SSH connections, it is recommended to use more modern algorithms that do not rely on SHA-1. Some of these alternatives include rsa-sha2-256 and rsa-sha2-512.

Here's an example of how you might generate a new key using a more secure algorithm:

ssh-keygen -t rsa-sha2-512 -b 4096 -f ~/.ssh/id_rsa

I have already written a detailed tutorial on using ssh-keygen which you can refer for more information: 10 examples to generate SSH key in Linux (ssh-keygen)

Once you have generated the new keys on your SSH Client, next you can use ssh-copy-id to copy the public key to remote SSH Server.

 

Solution 2: Enable usage of ssh-rsa Key

If you choose to ignore security guidelines and still prefer to use ssh-rsa key then you must explicitly allow this in your SSH server's /etc/ssh/sshd_config file. Add the following lines to your /etc/ssh/sshd_config to explicitly accept the ssh-rsa algorithm in PubkeyAcceptedAlgorithms, HostKeyAlgorithms and PubkeyAcceptedKeyTypes.

PubkeyAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

After making the changes, restart the SSH service:

sudo systemctl restart sshd

 

Solution 3: Check for system-wide crypto policies

Some systems, like CentOS or RHEL, may enforce system-wide cryptographic policies that could override SSH settings. These policies dictate which cryptographic algorithms and protocols are allowed or disallowed across various applications and services on the system. You can check and modify these policies if necessary.

Check the current crypto policies:

sudo update-crypto-policies --show

The main policies available are:

  • DEFAULT: The default system policy. It provides a good balance between security and compatibility, disabling weak algorithms and protocols.
  • LEGACY: A less strict policy that allows the use of older, deprecated cryptographic algorithms and protocols for compatibility reasons.
  • FUTURE: A stricter policy that enforces the use of stronger cryptographic algorithms and protocols, possibly at the expense of compatibility.
  • FIPS: A policy that enforces compliance with the Federal Information Processing Standard (FIPS) 140-2, used by U.S. government systems. This policy is very strict and only allows FIPS-approved algorithms and protocols.

If the policy is set to FIPS or DEFAULT, you may need to set it to LEGACY to allow older algorithms:

sudo update-crypto-policies --set LEGACY

The LEGACY policy enables older, deprecated cryptographic algorithms and protocols that may be required by legacy applications or systems. This can be helpful if you are working with older SSH keys, SSL/TLS configurations, or other cryptographic tools that do not support modern algorithms.

Although you have to be aware that allowing older, less secure algorithms can expose your system to vulnerabilities that have been mitigated in newer algorithms. These older algorithms may be susceptible to known attacks, such as collision attacks against SHA-1 or vulnerabilities in older versions of SSL/TLS.

Next restart SSHD service:

sudo systemctl restart sshd
sudo systemctl status sshd
sshd: ssh-rsa algorithm is disabled [SOLVED]

Now you are attempt SSH, for me this solution worked.

sshd: ssh-rsa algorithm is disabled [SOLVED]

 

Deepak Prasad

Deepak Prasad

Deepak Prasad is the founder of GoLinuxCloud, bringing over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, Networking, and Security. His extensive experience spans development, DevOps, networking, and security, ensuring robust and efficient solutions for diverse projects.

Certifications and Credentials:

  • Certified Kubernetes Application Developer (CKAD)
  • Go Developer Certification
  • Linux Foundation Certified System Administrator (LFCS)
  • Certified Ethical Hacker (CEH)
  • Python Institute PCAP (Certified Associate in Python Programming)
You can connect with him on his LinkedIn profile and join his Facebook and LinkedIn page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment