Ubuntu 22.04 SSH-RSA Login Failure

· 2 min read · 240 Words · -Views -Comments

Users reported that our WebShell couldn’t log into Ubuntu 22.04 via SSH key—authentication kept failing. Here’s the investigation and fix.

error screenshot

ssh2 (the Node.js library we use) reported:

Client: publickey auth failed
Error: All configured authentication methods failed

Investigation

  1. Keys were RSA.
  2. Logging in via Terminal/iTerm2 on macOS worked:
    ssh -v -i ~/test.pem ubuntu@1.221.54.8
    
    So our WebShell implementation (ssh2) was the outlier.

Tip: If you see Permissions 0644 for 'test.pem' are too open, run chmod 400 test.pem. Type exit to close the session.

Analysis

  • Both Terminal and iTerm2 succeed; apps built on the ssh2 module (Tabby, Electerm, etc.) fail. So the issue is in ssh2.
  • Ubuntu 22.04 disables ssh-rsa signatures by default; older releases didn’t.

Conclusion: new OpenSSH servers reject SHA-1 signatures, while ssh2 still tries to use them. Local terminals handle the fallback; ssh2 doesn’t (yet).

Fixes

  1. Server configuration — allow ssh-rsa temporarily:
    sudo vi /etc/ssh/sshd_config
    PubkeyAcceptedKeyTypes +ssh-rsa
    sudo service sshd restart
    
  2. Regenerate keys with stronger algorithms (e.g., ed25519).
  3. Upgrade ssh2 — use a commit/PR that adds rsa-sha2-512/256 support:
    "ssh2": "git@github.com:Eugeny/ssh2.git#22735cecf1d9c118b2b8af1c2f80fe5b04996fe1"
    

All three solutions work.

Why ssh-rsa Is Deprecated

From OpenSSH 8.2 release notes:

Chosen-prefix attacks against SHA-1 now cost < $50K. We’ll disable the ssh-rsa signature algorithm by default in a future release.

RSA itself is fine; SHA-1 is weak. Ubuntu 22.04 prefers rsa-sha2-512/256. ssh2 failed because it kept signing with SHA-1. Update: https://github.com/Eugeny/ssh2/commit/22735cec

Final Thoughts

Existing RSA keys are still usable—just avoid SHA-1 signatures.

References

Authors
Developer, digital product enthusiast, tinkerer, sharer, open source lover