I have a server (running openssh 8.1p1-2) with sshd_config configured like this to accept only ed25519 keys:
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
That works great for our team. We all use only ed25519 keys. And the directive is working correctly because other key types are rejected.
However, now I have the need to temporarily let a person connect who can only use an rsa key type (by policy they cannot control).
I made the following change:
PubkeyAcceptedKeyTypes ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
… and restarted sshd:
systemctl restart sshd
According to systemctl status sshd
, sshd status is error-free. However, when this person tries to connect server logs show:
sshd[12345]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
The error on the client side is simply:
No more authentication methods to try. user@ip: Permission denied (publickey).
I do not understand the issue because ssh-rsa
is in the PubkeyAcceptedKeyTypes. What am I missing?
Best Answer
I have just run into this issue... I needed to add key type rsa-sha2-512 instead of ssh-rsa. (There is also an rsa-sha2-256, which I did not need).
I'm using OpenSSH_8.2p1 on Arch.