Hi there and thanks for your reply!
You mean ' ssh-rsa' i.e. without any space? I also tried that, and with a
complete list, too:
sh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"rsa-sha2-256,rsa-sha2-512,ecdh-sha2-nistp256,ssh-rsa"
Nothing seems to help so far...
It actually says (with debug log level);
ssh_userauth_publickey_auto: ssh_userauth_publickey_auto: Public key for
/opt/myproxy/.ssh/id_rsa refused by server
ssh_userauth_publickey_auto: Access denied: Tried every public key, none matched
ssh_userauth_publickey_auto Instance #11 failed: The key algorithm 'ssh-rsa' is
not allowed to be used by PUBLICKEY_ACCEPTED_TYPES configuration option
The last line comes from ssh_get_error(session):
if(ssh_userauth_publickey_auto(session, NULL, NULL) != SSH_AUTH_SUCCESS) {
tlog_error("ssh_userauth_password Instance #%d failed: %s", inst->instance_id,
ssh_get_error(session));
...
But why it says: refused by server? Is this just a bad wording? Or is it really
rejected by the peer?
May 19, 2025 10:19 PM, "Malak Bouaksa" <[email protected]
(mailto:[email protected]?to=%22Malak%20Bouaksa%22%20<[email protected]>)>
wrote:
Hey there,
What you're running into is actually a common issue when jumping from
libssh 0.9.x to 0.10.x. Starting with version 0.10, libssh made a
security-related change: it no longer allows the 'ssh-rsa' key type by default
because it's based on SHA-1, which is considered weak by modern cryptographic
standards. That’s why everything worked fine with version 0.9.6, but with
0.10.4 on RHEL9
That’s why everything worked fine with version 0.9.6, but with 0.10.4
on RHEL9 but here’s the catch: the space after the + is messing it up. It
should be: ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+
ssh-rsa");
On Mon, May 19, 2025 at 8:58 PM <[email protected]
(mailto:[email protected])> wrote:
Hi there,
I wrote a client (TCP forwarding) that connects to a server which uses libssh V
0.9.7.
When I compile the client with 0.9.6 (this is what I get with libssh-dev on
Pop!_OS 22.04) then all works fine.
However, on RHEL9, libssh-dev brings v0.10.4. And compiled with that version
the client can't connect anymore:
"ssh_userauth_try_publickey: The key algorithm 'ssh-rsa' is not allowed to be
used by PUBLICKEY_ACCEPTED_TYPES configuration option"
At first I was confused: Who says this? The server? But it accepted the key
when using a client with version 0.9.6.
So I tried to add 'ssh-rsa' to the client's allowed key types:
if (ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+ ssh-rsa")
< 0) {
fprintf(stderr, "ssh_options_set failed: %sn", ssh_get_error(session);
}
ssh_options_set(...) seems to succeed. However, everything else remains the
same. The key algorithm 'ssh-rsa' is not allowed to be used...
How can this be solved? What is the right way to convince libssh that it can
use public keys of type ssh-rsa?
The remote account only knows my ssh-rsa public key and this can't be changed
easily. That's why I have to stick with that type...
Cheers
Till
