All Products
Search

This Product

    :Resolve an RSA key-based connection failure to an instance

    Document Center

    :Resolve an RSA key-based connection failure to an instance

    Last Updated:Apr 29, 2025

    If you have Elastic Compute Service (ECS) instances that run operating systems such as Ubuntu and CentOS Stream 9, you may be unable to connect to the instances from specific types of SSH client (such as FinalShell and nuoshell clients) by using Rivest Shamir Adleman (RSA) keys. This topic describes how to resolve such an RSA key-based connection failure.

    Background information

    RSA is an asymmetric algorithm designed for public key cryptography and is widely used in e-commerce. Asymmetric algorithms require the use of key pairs that consist of public keys and private keys. Public keys and private keys are generated based on the algorithms. By default, key pairs created in ECS use RSA encryption. For more information, see Overview.

    RSA key-based connection failure to a Ubuntu 22.04 instance

    In the SSH protocol, the ssh-rsa signature scheme uses the SHA-1 hash algorithm together with the RSA public key algorithm. The SHA-1 hash algorithm is vulnerable to attacks. The ssh-rsa signature scheme has been deprecated in OpenSSH since the release next to 8.7.

    Note

    The deprecation of the ssh-rsa signature scheme does not require cessation of use for RSA keys. Keys can sign by using multiple algorithms. In particular, RSA keys can use rsa-sha2-256 (RSA/SHA256), rsa-sha2-512 (RSA/SHA512), and ssh-rsa (RSA/SHA1) to sign. Only ssh-rsa (RSA/SHA1) is disabled by default.

    Problem description

    When you attempt to connect to a Ubuntu 22.04 instance from an SSH client (such as a FinalShell or nuoshell client) by using an RSA key, the SSH client returns a connection failure and the following sshd log data:

    userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

    Cause

    For the most recent operating system versions, OpenSSH no longer supports the ssh-rsa signature scheme by default and the use of this signature scheme leads to connection failures. However, specific types of SSH client such as FinalShell and nuoshell clients support only ssh-rsa (RSA/SHA1) by default and are incompatible with rsa-sha2-256 (rsa/SHA256) or rsa-sha2-512 (rsa/SHA512). As a result, these types of SSH client cannot be used to connect to the instance.

    Solution

    You can use one of the following methods to resolve the issue:

    • Method 1: Use a different encryption method such as elliptic curve digital signature algorithm (ECDSA) or digital signature algorithm (DSA) encryption.

    • Method 2: Use a different type of SSH client to connect to the instance, such as Workbench provided by Alibaba Cloud. For information about Workbench-based connection, see Connect to an instance by using Workbench.

    • Method 3: Run the following commands to allow the use of ssh-rsa (RSA/SHA1) in sshd configurations.

      Important

      ssh-rsa (RSA/SHA1) may pose security risks. Proceed with caution. 

      echo 'PubkeyAcceptedAlgorithms=+ssh-rsa' >> /etc/ssh/sshd_config
systemctl restart sshd

    RSA key-based connection failure to a CentOS Stream 9 instance or an instance that runs another operating system version

    Affected operating system versions

    • CentOS Stream 9

    • AlmaLinux 9

    • Rocky Linux 9

    • Red Hat Enterprise Linux 9

    • Fedora 33 and later

    Problem description

    When you attempt to connect to an instance from an SSH client (such as a FinalShell or nuoshell client) by using an RSA key, the SSH client returns a connection failure and the following sshd log data:

    userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

    Cause

    By default, ssh-rsa (RSA/SHA1) is disabled in CentOS Stream 9. However, specific types of SSH client such as FinalShell and nuoshell clients support only ssh-rsa (RSA/SHA1) by default and are incompatible with rsa-sha2-256 (rsa/SHA256) or rsa-sha2-512 (rsa/SHA512). As a result, these types of SSH client cannot be used to connect to the instance.

    Note

    You can run the update-crypto-policies --show command to view the current system cryptographic policy.

    Solution

    You can use one of the following methods to resolve the issue:

    • Method 1: Use a different encryption method such as ECDSA or DSA encryption.

    • Method 2: Use a different type of SSH client to connect to the instance, such as Workbench provided by Alibaba Cloud. For more information about how to connect to an instance by using Workbench, see Methods for connecting to an ECS instance.

    • Method 3: Run the following commands to switch the cryptographic policy to the LEGACY level.

      Important

      The LEGACY policy may pose unknown security risks. Proceed with caution. 

      update-crypto-policies --set LEGACY
update-crypto-policies --show