All Products
Search

This Product

    :Resolve an RSA key-based connection failure to an instance

    Document Center

    :Resolve an RSA key-based connection failure to an instance

    Last Updated:Mar 01, 2026

    If you cannot connect to an Elastic Compute Service (ECS) instance using an RSA key from SSH clients such as FinalShell or nuoshell, the connection failure is likely caused by the deprecated ssh-rsa (RSA/SHA-1) signature scheme. This topic explains the cause and provides solutions for Ubuntu 22.04, CentOS Stream 9, and other affected operating systems.

    Background

    Rivest-Shamir-Adleman (RSA) is an asymmetric algorithm designed for public key cryptography and is widely used in e-commerce. Asymmetric algorithms require the use of key pairs that consist of public keys and private keys. Public keys and private keys are generated based on the algorithms. By default, key pairs created in ECS use RSA encryption. For more information, see Overview.

    In the SSH protocol, the ssh-rsa signature scheme uses the SHA-1 hash algorithm together with the RSA public key algorithm. Because SHA-1 is vulnerable to attacks, the ssh-rsa signature scheme has been disabled by default since OpenSSH 8.8.

    Note

    The deprecation of the ssh-rsa signature scheme does not mean RSA keys can no longer be used. RSA keys can sign using multiple algorithms. Specifically, RSA keys support the following signature schemes:

    • rsa-sha2-256 (RSA/SHA-256)

    • rsa-sha2-512 (RSA/SHA-512)

    • ssh-rsa (RSA/SHA-1)

    Only ssh-rsa (RSA/SHA-1) is disabled by default.

    Error: key type ssh-rsa not in PubkeyAcceptedAlgorithms on Ubuntu 22.04

    Symptom

    When you connect to a Ubuntu 22.04 instance from an SSH client such as FinalShell or nuoshell using an RSA key, the connection fails. The sshd log contains the following error:

    userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

    Cause

    On Ubuntu 22.04, OpenSSH no longer supports the ssh-rsa signature scheme by default. SSH clients such as FinalShell and nuoshell support only ssh-rsa (RSA/SHA-1) by default and are incompatible with rsa-sha2-256 (RSA/SHA-256) or rsa-sha2-512 (RSA/SHA-512). As a result, these clients cannot connect to the instance.

    Solutions

    Use one of the following methods to resolve this issue:

    • Method 1: Use a different key algorithm

      Use a different encryption method such as Elliptic Curve Digital Signature Algorithm (ECDSA) or Digital Signature Algorithm (DSA) encryption.

    • Method 2: Use a different SSH client

      Use a different SSH client to connect to the instance, such as Workbench provided by Alibaba Cloud. For information about Workbench-based connection, see Connect to an instance by using Workbench.

    • Method 3: Re-enable ssh-rsa in sshd configuration

      Important

      ssh-rsa (RSA/SHA-1) may pose security risks. Proceed with caution.

      Run the following commands to allow ssh-rsa (RSA/SHA-1) in the sshd configuration:

      echo 'PubkeyAcceptedAlgorithms=+ssh-rsa' >> /etc/ssh/sshd_config
systemctl restart sshd

    Error: key type ssh-rsa not in PubkeyAcceptedAlgorithms on CentOS Stream 9 and similar distributions

    Affected operating systems

    • CentOS Stream 9

    • AlmaLinux 9

    • Rocky Linux 9

    • Red Hat Enterprise Linux 9

    • Fedora 33 and later

    Symptom

    When you connect to an instance from an SSH client such as FinalShell or nuoshell using an RSA key, the connection fails. The sshd log contains the following error:

    userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

    Cause

    By default, ssh-rsa (RSA/SHA-1) is disabled in CentOS Stream 9 and the other listed operating systems. SSH clients such as FinalShell and nuoshell support only ssh-rsa (RSA/SHA-1) by default and are incompatible with rsa-sha2-256 (RSA/SHA-256) or rsa-sha2-512 (RSA/SHA-512). As a result, these clients cannot connect to the instance.

    Note

    You can run the update-crypto-policies --show command to view the current system cryptographic policy.

    Solutions

    Use one of the following methods to resolve this issue:

    • Method 1: Use a different key algorithm

      Use a different encryption method such as ECDSA or DSA encryption.

    • Method 2: Use a different SSH client

      Use a different SSH client to connect to the instance, such as Workbench provided by Alibaba Cloud. For more information about how to connect to an instance by using Workbench, see Methods for connecting to an ECS instance.

    • Method 3: Switch the cryptographic policy to LEGACY

      Important

      The LEGACY policy may pose unknown security risks. Proceed with caution.

      Run the following commands to switch the system cryptographic policy to the LEGACY level:

      update-crypto-policies --set LEGACY
update-crypto-policies --show