Hey there,
What you're running into is actually a common issue when jumping from
libssh 0.9.x to 0.10.x. Starting with version 0.10, libssh made a
security-related change: it no longer allows the 'ssh-rsa' key type by
default because it's based on SHA-1, which is considered weak by modern
cryptographic standards. That’s why everything worked fine with version
0.9.6, but with 0.10.4 on RHEL9
That’s why everything worked fine with version 0.9.6, but with 0.10.4 on
RHEL9 but here’s the catch: the space after the + is messing it up. It
should be: ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"+ ssh-rsa");
On Mon, May 19, 2025 at 8:58 PM <g4-l...@tonarchiv.ch> wrote:
> Hi there,
>
> I wrote a client (TCP forwarding) that connects to a server which uses
> libssh V 0.9.7.
>
> When I compile the client with 0.9.6 (this is what I get with libssh-dev
> on Pop!_OS 22.04) then all works fine.
>
> However, on RHEL9, libssh-dev brings v0.10.4. And compiled with that
> version the client can't connect anymore:
>
> "ssh_userauth_try_publickey: The key algorithm 'ssh-rsa' is not allowed to
> be used by PUBLICKEY_ACCEPTED_TYPES configuration option"
>
> At first I was confused: Who says this? The server? But it accepted the
> key when using a client with version 0.9.6.
> So I tried to add 'ssh-rsa' to the client's allowed key types:
>
> if (ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+
> ssh-rsa") < 0) {
> fprintf(stderr, "ssh_options_set failed: %s\n", ssh_get_error(session);
> }
>
> ssh_options_set(...) seems to succeed. However, everything else remains
> the same. The key algorithm 'ssh-rsa' is not allowed to be used...
>
> How can this be solved? What is the right way to convince libssh that it
> can use public keys of type ssh-rsa?
>
> The remote account only knows my ssh-rsa public key and this can't be
> changed easily. That's why I have to stick with that type...
>
> Cheers
> Till
>
