ssh-rsa keys no longer work

See Unable to add SSH key - #8 by dtcsight

ssh-rsa existing keys and new keys (for example, if I re-added or just generated a new one) don’t work and complain about the pattern. Systems with these automated users are possibly broken and they are now forced to update to the new keys like ed25519.

Hi,

My keys (and a newly generated one) seem to work with existing devices through balenaCloud.
Can you share which versions and commands you are using where this fails?
Are you trying to ssh into them directly rather than through balenaCloud?

For reference, I’m using keys generated using ssh-keygen -t rsa -b 4096.

Yep, that’s the one I was using. I just tested it just now. It works again but I’m pretty confident on that day I posted (Nov. 9) that it was not working.

I am having the same issue. Existing ssh keys imported from github no longer work as of November 9th.

I’ve heard rumours of others experiencing this too, but it just hit me just now too. It’s possible it was linked to updates on my end, since I’ve updated to Ventura and updated the cli recently. But can confirm that right now:

  • cli 14.3.1 on MacOS 11.7.1 still works with existing RSA key.
  • cli 14.5.12 on MacOS 13.0.1 did not work with a new RSA key, but works with a new ed25519 key.

Ah I found the internal record of this issue. Turns out that yes, openssh 8.7 disables SHA-1 for RSA signatures by default, and that’s likely underpinning the change in behaviour. Many OS’s are starting to include the newer openssh including Fedora 33+, Alpine 3.15 and macOS 13 (Ventura).

So you can either ask your client to enable it by adding PubkeyAcceptedKeyTypes +ssh-rsa to your ssh config, or create a supported key like ecdsa or ed25519.

1 Like

I am on macOS ventura and adding:

Host git.balena-cloud.com
  PubkeyAcceptedKeyTypes +ssh-rsa

Solved the issue for me