Why are we getting "sshd: ssh-rsa algorithm is disabled" Error?
We recently upgraded our Base OS and there we starting facing this issue where all SSH connection via RSA Key started to fail with error "sshd: ssh-rsa algorithm is disabled
".
![sshd: ssh-rsa algorithm is disabled [SOLVED] sshd: ssh-rsa algorithm is disabled [SOLVED]](https://www.golinuxcloud.com/wp-content/uploads/image-620.png)
After researching about this error, I got to know that this is due to the recent updates from OpenSSH which have deprecated the use of the ssh-rsa
signature algorithm due to security concerns related to the SHA-1 hash algorithm, which ssh-rsa
relies on. SHA-1 has been found to be vulnerable to collision attacks, making it less secure compared to more modern algorithms.
OpenSSH officially announced the deprecation of the ssh-rsa
algorithm in its release notes, starting from version 8.2. The official OpenSSH release notes provide details on this change.
In this tutorial we will explore different methods to come out of this situation, you may choose appropriate method based on your security requirement.
Solution 1: Chose alternative of ssh-rsa Key
To maintain secure SSH connections, it is recommended to use more modern algorithms that do not rely on SHA-1. Some of these alternatives include rsa-sha2-256
and rsa-sha2-512
.
Here's an example of how you might generate a new key using a more secure algorithm:
ssh-keygen -t rsa-sha2-512 -b 4096 -f ~/.ssh/id_rsa
I have already written a detailed tutorial on using ssh-keygen which you can refer for more information: 10 examples to generate SSH key in Linux (ssh-keygen)
Once you have generated the new keys on your SSH Client, next you can use ssh-copy-id to copy the public key to remote SSH Server.
Solution 2: Enable usage of ssh-rsa Key
If you choose to ignore security guidelines and still prefer to use ssh-rsa key then you must explicitly allow this in your SSH server's /etc/ssh/sshd_config
file. Add the following lines to your /etc/ssh/sshd_config
to explicitly accept the ssh-rsa
algorithm in PubkeyAcceptedAlgorithms
, HostKeyAlgorithms
and PubkeyAcceptedKeyTypes
.
PubkeyAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
After making the changes, restart the SSH service:
sudo systemctl restart sshd
Solution 3: Check for system-wide crypto policies
Some systems, like CentOS or RHEL, may enforce system-wide cryptographic policies that could override SSH settings. These policies dictate which cryptographic algorithms and protocols are allowed or disallowed across various applications and services on the system. You can check and modify these policies if necessary.
Check the current crypto policies:
sudo update-crypto-policies --show
The main policies available are:
- DEFAULT: The default system policy. It provides a good balance between security and compatibility, disabling weak algorithms and protocols.
- LEGACY: A less strict policy that allows the use of older, deprecated cryptographic algorithms and protocols for compatibility reasons.
- FUTURE: A stricter policy that enforces the use of stronger cryptographic algorithms and protocols, possibly at the expense of compatibility.
- FIPS: A policy that enforces compliance with the Federal Information Processing Standard (FIPS) 140-2, used by U.S. government systems. This policy is very strict and only allows FIPS-approved algorithms and protocols.
If the policy is set to FIPS
or DEFAULT
, you may need to set it to LEGACY
to allow older algorithms:
sudo update-crypto-policies --set LEGACY
The LEGACY
policy enables older, deprecated cryptographic algorithms and protocols that may be required by legacy applications or systems. This can be helpful if you are working with older SSH keys, SSL/TLS configurations, or other cryptographic tools that do not support modern algorithms.
Although you have to be aware that allowing older, less secure algorithms can expose your system to vulnerabilities that have been mitigated in newer algorithms. These older algorithms may be susceptible to known attacks, such as collision attacks against SHA-1 or vulnerabilities in older versions of SSL/TLS.
Next restart SSHD service:
sudo systemctl restart sshd
sudo systemctl status sshd
![sshd: ssh-rsa algorithm is disabled [SOLVED] sshd: ssh-rsa algorithm is disabled [SOLVED]](https://www.golinuxcloud.com/wp-content/uploads/image-621.png)
Now you are attempt SSH, for me this solution worked.
![sshd: ssh-rsa algorithm is disabled [SOLVED] sshd: ssh-rsa algorithm is disabled [SOLVED]](https://www.golinuxcloud.com/wp-content/uploads/image-622.png)