16

SSH without password does not work after upgrading from Ubuntu 18.04 to Ubuntu 22.04. The client is Ubuntu 22.04 and the server is Ubuntu 14.04. Using Ubuntu 18.04 as client works correctly.

I have done the correct steps of generating the key in .ssh and copying it to the server, but in Ubuntu 22.04 it does not work

Summary of the steps I have always performed and have always worked:

ssh-keygen -t rsa
cat .ssh/id_rsa.pub | ssh -p 1331 user@server 'cat >> .ssh/authorized_keys'

Is this a Seahorse problem? In Seahorse in Ubuntu 22.04 I can't find the option "The owner of this key is authorized to connect to this computer" that if it is in 18.04. I don't know if this may have something to do with it

Has this happened to anyone else?

karel
  • 122,292
  • 133
  • 301
  • 332
Mario
  • 1,059

5 Answers5

25

The RSA SHA-1 hash algorithm is being quickly deprecated. There is a workaround for re-enabling RSA at SSH-RSA key rejected with message "no mutual signature algorithm" .

To fully resolve this issue, our team recommends that these deprecated SSH keys be regenerated using a supported and more secure algorithm such as ECDSA and ED25519. SSH keys generated with either ECDSA or ED25519 algorithms are not affected by RSA deprecation.

Add the following line to /etc/ssh/ssh_config on the client side:

PubkeyAcceptedKeyTypes +ssh-rsa
karel
  • 122,292
  • 133
  • 301
  • 332
8

Update: I suggest trying the command-line lower down to see if the configuration changes proposed will actually work, that way you'll only be making config changes if you've already checked that they'll work.

tl;dr - Add these lines to an ssh config file (personal one typically in .ssh/config or system-wide one in /etc/ssh/ssh_config) if you're having this issue connecting to machines (say) alice.example.com and bob.example.org,

Host alice.example.com bob.example.org
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

or in more detail:

SSH on Ubuntu and Linux in general normally refers to OpenSSH which now deprecates (and disables by default) the RSA SHA-1 algorithm. It's still available but has to be enabled for the hosts that need it, see their explainer,

When an SSH client connects to a server, each side offers lists of connection parameters to the other... For a successful connection, there must be at least one mutually-supported choice for each parameter.

To be able to connect to hosts with this issue, either or both of the above options are needed (and it's recommended to upgrade the hosts so that they no longer need to use this now-considered-insecure algorithm). In some circumstances you may want to enable these options for all hosts (Host *).

When you try connecting to a machine, if you see this error message,

Unable to negotiate with ... port 22: no matching host key type found. Their offer: ssh-rsa

that can be fixed with HostkeyAlgorithms +ssh-rsa

When you try connecting to a machine, if you see this error message,

username@some.hostname: Permission denied (publickey).

that may be fixed with PubkeyAcceptedAlgorithms +ssh-rsa

Putting that together gives you a stanza like this (in this case for 2 machines),

Host alice.example.com bob.example.org
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

You need to add that stanza to either a personal .ssh config file (create it if it doesn't exist) typically in .ssh/config under your home directory, or if you want any user on your machine to have these settings, add the stanza to /etc/ssh/ssh_config.

If you don't want to make any configuration changes, you can specify the options on the command line instead,

ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa some.hostname

Finally to note that the PubkeyAcceptedAlgorithms keyword supercedes PubkeyAcceptedKeyTypes mentioned in some answers (see "Bugfixes" section in the changelog)

Andrew Richards
  • 283
5

You can add the following line to /etc/ssh/ssh_config if you want the add this config for all users or to ~/.ssh/config if you want to add this to your own user.

HostKeyAlgorithms +ssh-rsa

hfranco
  • 51
0

Also you can use the PubkeyAcceptedKeyTypes SSH option:

ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa foo@old_server
panticz
  • 1,936
-1

Do this:

$ eval `ssh-agent -s`
$ ssh-add ~/.ssh/(your key filename)

Then test:

$ ssh -T git@github.com

It has been OK.

im6chen
  • 1