[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4
[Thread Prev] | [Thread Next]
- Subject: Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4
- From: g4-lisz@xxxxxxxxxxxx
- Reply-to: libssh@xxxxxxxxxx
- Date: Mon, 19 May 2025 21:14:19 +0000
- To: libssh@xxxxxxxxxx
Hi there and thanks for your reply!
You mean ' ssh-rsa' i.e. without any space? I also tried that, and with a complete list, too:
sh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "rsa-sha2-256,rsa-sha2-512,ecdh-sha2-nistp256,ssh-rsa"
Nothing seems to help so far...
It actually says (with debug log level);
ssh_userauth_publickey_auto: ssh_userauth_publickey_auto: Public key for /opt/myproxy/.ssh/id_rsa refused by server
ssh_userauth_publickey_auto: Access denied: Tried every public key, none matched
ssh_userauth_publickey_auto Instance #11 failed: The key algorithm 'ssh-rsa' is not allowed to be used by PUBLICKEY_ACCEPTED_TYPES configuration option
The last line comes from ssh_get_error(session):
if(ssh_userauth_publickey_auto(session, NULL, NULL) != SSH_AUTH_SUCCESS) {
tlog_error("ssh_userauth_password Instance #%d failed: %s", inst->instance_id, ssh_get_error(session));
...
But why it says: refused by server? Is this just a bad wording? Or is it really rejected by the peer?
May 19, 2025 10:19 PM, "Malak Bouaksa" <bouaksamalak@xxxxxxxxx (mailto:bouaksamalak@xxxxxxxxx?to=%22Malak%20Bouaksa%22%20<bouaksamalak@xxxxxxxxx>)> wrote:
Hey there,
What you're running into is actually a common issue when jumping from libssh 0.9.x to 0.10.x. Starting with version 0.10, libssh made a security-related change: it no longer allows the 'ssh-rsa' key type by default because it's based on SHA-1, which is considered weak by modern cryptographic standards. That’s why everything worked fine with version 0.9.6, but with 0.10.4 on RHEL9
That’s why everything worked fine with version 0.9.6, but with 0.10.4 on RHEL9 but here’s the catch: the space after the + is messing it up. It should be: ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+ ssh-rsa");
On Mon, May 19, 2025 at 8:58 PM <g4-lisz@xxxxxxxxxxxx (mailto:g4-lisz@xxxxxxxxxxxx)> wrote:
Hi there,
I wrote a client (TCP forwarding) that connects to a server which uses libssh V 0.9.7.
When I compile the client with 0.9.6 (this is what I get with libssh-dev on Pop!_OS 22.04) then all works fine.
However, on RHEL9, libssh-dev brings v0.10.4. And compiled with that version the client can't connect anymore:
"ssh_userauth_try_publickey: The key algorithm 'ssh-rsa' is not allowed to be used by PUBLICKEY_ACCEPTED_TYPES configuration option"
At first I was confused: Who says this? The server? But it accepted the key when using a client with version 0.9.6.
So I tried to add 'ssh-rsa' to the client's allowed key types:
if (ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+ ssh-rsa") < 0) {
fprintf(stderr, "ssh_options_set failed: %sn", ssh_get_error(session);
}
ssh_options_set(...) seems to succeed. However, everything else remains the same. The key algorithm 'ssh-rsa' is not allowed to be used...
How can this be solved? What is the right way to convince libssh that it can use public keys of type ssh-rsa?
The remote account only knows my ssh-rsa public key and this can't be changed easily. That's why I have to stick with that type...
Cheers
Till
| Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | Malak Bouaksa <bouaksamalak@xxxxxxxxx> |
| Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |
| Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |
| Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |
| Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | Malak Bouaksa <bouaksamalak@xxxxxxxxx> |
| The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |