16

SSH without password does not work after upgrading from Ubuntu 18.04 to Ubuntu 22.04. The client is Ubuntu 22.04 and the server is Ubuntu 14.04. Using Ubuntu 18.04 as client works correctly.

I have done the correct steps of generating the key in .ssh and copying it to the server, but in Ubuntu 22.04 it does not work

Summary of the steps I have always performed and have always worked:

ssh-keygen -t rsa
cat .ssh/id_rsa.pub | ssh -p 1331 user@server 'cat >> .ssh/authorized_keys'

Is this a Seahorse problem? In Seahorse in Ubuntu 22.04 I can't find the option "The owner of this key is authorized to connect to this computer" that if it is in 18.04. I don't know if this may have something to do with it

Has this happened to anyone else?

karel
  • 114,770
Mario
  • 959
  • Question? Is HOSTNAME on all pc the same? If you set manual DNS, is it DNS the same on all PC? Check command ssh-keyscan flag. And not sure what ssh command/flag refresh keys to load in SSH that can work. it might ssh-add – dMatija Apr 23 '22 at 17:34
  • HOSTNAME are different in client and server, but I never use hostname or dns, I use the ip directly, the local ip of the server is fixed, ej --> ssh -p 1234 nameUser@192.168.1.22 – Mario Apr 23 '22 at 17:41
  • If you are not familiar with hostname and DNS try to look them up. I had some issues long time a ago, also without using them at any point. For some reason, ssh didn't like if all are not the same. And check ssh-add ( I think ) is to reload ssh-agent. Try: eval "$(ssh-agent -s)" Might flag will be different – dMatija Apr 23 '22 at 17:50
  • 2
    I have found the solution here https://confluence.atlassian.com/bitbucketserverkb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm-1026057701.html Cause The RSA SHA-1 hash algorithm is being quickly deprecated I have added to /etc/ssh/ssh_config on the client side the following line --> PubkeyAcceptedKeyTypes +ssh-rsa – Mario Apr 23 '22 at 22:32
  • Does this answer your question? Ubuntu 22.04 SSH the RSA key isn't working since upgrading from 20.04 – user68186 Oct 03 '22 at 15:10
  • There is a Ubuntu 14.04 server in this question which makes it off topic. Ubuntu 14.04 went EOL in April 30th 2019. – David Apr 01 '23 at 09:42

5 Answers5

25

The RSA SHA-1 hash algorithm is being quickly deprecated. There is a workaround for re-enabling RSA at SSH-RSA key rejected with message "no mutual signature algorithm" .

To fully resolve this issue, our team recommends that these deprecated SSH keys be regenerated using a supported and more secure algorithm such as ECDSA and ED25519. SSH keys generated with either ECDSA or ED25519 algorithms are not affected by RSA deprecation.

Add the following line to /etc/ssh/ssh_config on the client side:

PubkeyAcceptedKeyTypes +ssh-rsa
karel
  • 114,770
  • 1
    I've tried a lot of solutions, nothing worked! This was the only solution that worked for me. Thanks a lot. – Luís Assunção Oct 03 '22 at 11:35
  • 3
    To login without a password on Ubuntu 22.04.1 LTS, I had to add an additional line: HostKeyAlgorithms +ssh-rsa. And that entry, along with the entry mentioned in the answer above, are placed at the tail-end of the stanza for Host * – lawlist Oct 16 '22 at 22:33
  • Rather than use a deprecated algorithm, create new keys using ED25519

    ssh-keygen -t ecdsa

    ED25519 is generally considered more secure than RSA

     – Nick Bascombe-Fox Feb 22 '24 at 18:07
7

Update: I suggest trying the command-line lower down to see if the configuration changes proposed will actually work, that way you'll only be making config changes if you've already checked that they'll work.

tl;dr - Add these lines to an ssh config file (personal one typically in .ssh/config or system-wide one in /etc/ssh/ssh_config) if you're having this issue connecting to machines (say) alice.example.com and bob.example.org,

Host alice.example.com bob.example.org
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

or in more detail:

SSH on Ubuntu and Linux in general normally refers to OpenSSH which now deprecates (and disables by default) the RSA SHA-1 algorithm. It's still available but has to be enabled for the hosts that need it, see their explainer,

When an SSH client connects to a server, each side offers lists of connection parameters to the other... For a successful connection, there must be at least one mutually-supported choice for each parameter.

To be able to connect to hosts with this issue, either or both of the above options are needed (and it's recommended to upgrade the hosts so that they no longer need to use this now-considered-insecure algorithm). In some circumstances you may want to enable these options for all hosts (Host *).

When you try connecting to a machine, if you see this error message,

Unable to negotiate with ... port 22: no matching host key type found. Their offer: ssh-rsa

that can be fixed with HostkeyAlgorithms +ssh-rsa

When you try connecting to a machine, if you see this error message,

username@some.hostname: Permission denied (publickey).

that may be fixed with PubkeyAcceptedAlgorithms +ssh-rsa

Putting that together gives you a stanza like this (in this case for 2 machines),

Host alice.example.com bob.example.org
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

You need to add that stanza to either a personal .ssh config file (create it if it doesn't exist) typically in .ssh/config under your home directory, or if you want any user on your machine to have these settings, add the stanza to /etc/ssh/ssh_config.

If you don't want to make any configuration changes, you can specify the options on the command line instead,

ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa some.hostname

Finally to note that the PubkeyAcceptedAlgorithms keyword supercedes PubkeyAcceptedKeyTypes mentioned in some answers (see "Bugfixes" section in the changelog)

Andrew Richards
  • 271
5

You can add the following line to /etc/ssh/ssh_config if you want the add this config for all users or to ~/.ssh/config if you want to add this to your own user.

HostKeyAlgorithms +ssh-rsa

hfranco
  • 51
0

Also you can use the PubkeyAcceptedKeyTypes SSH option:

ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa foo@old_server
panticz
  • 1,718
-1

Do this:

$ eval `ssh-agent -s`
$ ssh-add ~/.ssh/(your key filename)

Then test:

$ ssh -T git@github.com

It has been OK.

im6chen
  • 1