Ubuntu 22.04 SSH-RSA Login Failure
Users reported that our WebShell couldn’t log into Ubuntu 22.04 via SSH key—authentication kept failing. Here’s the investigation and fix.
ssh2
(the Node.js library we use) reported:
Client: publickey auth failed
Error: All configured authentication methods failed
Investigation
- Keys were RSA.
- Logging in via Terminal/iTerm2 on macOS worked:So our WebShell implementation (ssh2) was the outlier.
ssh -v -i ~/test.pem ubuntu@1.221.54.8
Tip: If you see Permissions 0644 for 'test.pem' are too open
, run chmod 400 test.pem
. Type exit
to close the session.
Analysis
- Both Terminal and iTerm2 succeed; apps built on the
ssh2
module (Tabby, Electerm, etc.) fail. So the issue is in ssh2. - Ubuntu 22.04 disables
ssh-rsa
signatures by default; older releases didn’t.
Conclusion: new OpenSSH servers reject SHA-1 signatures, while ssh2 still tries to use them. Local terminals handle the fallback; ssh2 doesn’t (yet).
Fixes
- Server configuration — allow
ssh-rsa
temporarily:sudo vi /etc/ssh/sshd_config PubkeyAcceptedKeyTypes +ssh-rsa sudo service sshd restart
- Regenerate keys with stronger algorithms (e.g.,
ed25519
). - Upgrade ssh2 — use a commit/PR that adds
rsa-sha2-512/256
support:"ssh2": "git@github.com:Eugeny/ssh2.git#22735cecf1d9c118b2b8af1c2f80fe5b04996fe1"
All three solutions work.
Why ssh-rsa Is Deprecated
From OpenSSH 8.2 release notes:
Chosen-prefix attacks against SHA-1 now cost < $50K. We’ll disable the
ssh-rsa
signature algorithm by default in a future release.
RSA itself is fine; SHA-1 is weak. Ubuntu 22.04 prefers rsa-sha2-512/256
. ssh2 failed because it kept signing with SHA-1. Update: https://github.com/Eugeny/ssh2/commit/22735cec
Final Thoughts
Existing RSA keys are still usable—just avoid SHA-1 signatures.