You're absolutely right to be confused — that error message is really
misleading. When libssh says the key was “refused by server,” it often
doesn’t actually mean the server rejected it. In your case, the message *"The
key algorithm 'ssh-rsa' is not allowed to be used by
PUBLICKEY_ACCEPTED_TYPES configuration option"* shows that it’s the *client
itself*, not the server, refusing the key. It’s likely that libssh 0.10.4
is filtering out ssh-rsa internally before it even tries to use it. This is
a new default behavior introduced for security reasons, since ssh-rsa uses
SHA-1, which is considered weak. To allow it, make sure you're calling
ssh_options_set(session,
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+ssh-rsa") (without a space after
the plus) *before* calling ssh_connect(). If you set it too late, the
option won’t take effect. Also consider setting SSH_OPTIONS_HOSTKEYS to
include +ssh-rsa, just in case host key filtering is also in play. Finally,
it’s worth checking whether your system’s libssh was compiled with ssh-rsa
support disabled entirely — some distros remove it completely. A quick way
to test that is by running strings on the libssh shared library to see if
ssh-rsa appears at all. So no, the server probably isn’t refusing the key —
your client just won’t let it be used unless you configure it properly, and
sometimes not even then if it’s compiled out.
And can I know who is talking to me and how you got my email?
Thank you and I hope I helped with your problem.
On Mon, May 19, 2025 at 10:14 PM <g4-l...@tonarchiv.ch> wrote:
> Hi there and thanks for your reply!
>
> You mean ' ssh-rsa' i.e. without any space? I also tried that, and with a
> complete list, too:
> sh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
> "rsa-sha2-256,rsa-sha2-512,ecdh-sha2-nistp256,ssh-rsa"
>
> Nothing seems to help so far...
>
> It actually says (with debug log level);
> ssh_userauth_publickey_auto: ssh_userauth_publickey_auto: Public key for
> /opt/myproxy/.ssh/id_rsa refused by server
> ssh_userauth_publickey_auto: Access denied: Tried every public key, none
> matched
> ssh_userauth_publickey_auto Instance #11 failed: The key algorithm
> 'ssh-rsa' is not allowed to be used by PUBLICKEY_ACCEPTED_TYPES
> configuration option
>
> The last line comes from ssh_get_error(session):
> if(ssh_userauth_publickey_auto(session, NULL, NULL) != SSH_AUTH_SUCCESS) {
> tlog_error("ssh_userauth_password Instance #%d failed: %s",
> inst->instance_id, ssh_get_error(session));
> ...
> But why it says: refused by server? Is this just a bad wording? Or is it
> really rejected by the peer?
>
> May 19, 2025 10:19 PM, "Malak Bouaksa" <bouaksama...@gmail.com
> <bouaksama...@gmail.com?to=%22malak%20bouaksa%22%20%3cbouaksama...@gmail.com%3E>>
> wrote:
>
> Hey there,
>
> What you're running into is actually a common issue when jumping from
> libssh 0.9.x to 0.10.x. Starting with version 0.10, libssh made a
> security-related change: it no longer allows the 'ssh-rsa' key type by
> default because it's based on SHA-1, which is considered weak by modern
> cryptographic standards. That’s why everything worked fine with version
> 0.9.6, but with 0.10.4 on RHEL9
>
> That’s why everything worked fine with version 0.9.6, but with 0.10.4 on
> RHEL9 but here’s the catch: the space after the + is messing it up. It
> should be: ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
> "+ ssh-rsa");
> On Mon, May 19, 2025 at 8:58 PM <g4-l...@tonarchiv.ch> wrote:
>
> Hi there,
>
> I wrote a client (TCP forwarding) that connects to a server which uses
> libssh V 0.9.7.
>
> When I compile the client with 0.9.6 (this is what I get with libssh-dev
> on Pop!_OS 22.04) then all works fine.
>
> However, on RHEL9, libssh-dev brings v0.10.4. And compiled with that
> version the client can't connect anymore:
>
> "ssh_userauth_try_publickey: The key algorithm 'ssh-rsa' is not allowed to
> be used by PUBLICKEY_ACCEPTED_TYPES configuration option"
>
> At first I was confused: Who says this? The server? But it accepted the
> key when using a client with version 0.9.6.
> So I tried to add 'ssh-rsa' to the client's allowed key types:
>
> if (ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+
> ssh-rsa") < 0) {
> fprintf(stderr, "ssh_options_set failed: %s\n", ssh_get_error(session);
> }
>
> ssh_options_set(...) seems to succeed. However, everything else remains
> the same. The key algorithm 'ssh-rsa' is not allowed to be used...
>
> How can this be solved? What is the right way to convince libssh that it
> can use public keys of type ssh-rsa?
>
> The remote account only knows my ssh-rsa public key and this can't be
> changed easily. That's why I have to stick with that type...
>
> Cheers
> Till
>
>
>
>
>
>
