Have you upgrade to Ubuntu Jammy lately, and have SSH access or git breaking? If so, you have come to the right place!

Ubuntu Jammy (22.04) launched recently, and one of the biggest changes is that ssh-rsa is disabled by default in the version of OpenSSH it ships with.

There is a lot of confusion on the internet, and docs still seems to be a bit sketchy, so I hope this will help someone out!

Points to note

• There is a key type ssh-rsa. This is the ‘default’ key that OpenSSH has been generating. You may probably have a key of this type. This is not disabled, yet.

• There is a key algorithm, also named ssh-rsa. This is the one that is disabled. This uses the ssh-rsa key type, along with SHA-1 hash, for authentication in SSH. SHA-1 hash is now considered broken, and should be replaced with SHA-256 or SHA-512 hash.

• To allow for continuing use of key type ssh-rsa, RFC8332 defined two new key algorithm, rsa-sha2-256 and rsa-sha2-512. This has been supported by major operating systems for a while.

• SSH clients and servers negotiates and uses the stronger algorithms if they are supported. Clients also fall back to use the weaker algorithm if not. Therefor, you may be using your ssh-rsa key type with a bunch of different servers with varying key algorithms without realising it.

• Ubuntu Jammy, as an SSH Client, will now refuse to talk to a server if it tries to use the weaker ssh-rsa key algorithm for SSH.

This means that your ssh-rsa key can still be used, however, the server you are talking to MUST support the newer key algorithms.

Unfortunately, the rsa-sha2-256 support is still making its way into major software. See the list below for more information.

Testing

To test if a server supports rsa-sha2-256 or rsa-sha2-512, do the following

ssh -o PubkeyAcceptedKeyTypes=rsa-sha2-256 <user>@<server>

You can also test for any key type NOT ssh-rsa by doing

ssh -o PubkeyAcceptedKeyTypes=ssh-rsa <user>@<server>

If it breaks, this means the software doesn’t support rsa-sha2-256. You can, in order of preference:

• allow list the particular server,
• upgrade to a newer version (check the software list below), or
• change to use ed25519 keys.

Allow listing servers

You can set this in your SSH config (~/.ssh/config) for each server you want to use the weaker key with.

Host <hostname>
    PubkeyAcceptedKeyTypes +ssh-rsa

Software needing update

You might be running a particular application that breaks now that you are connecting to it from Jammy. This is because a lot of SSH servers traditionally only supports the basic SHA-1 ssh-rsa, and have not implemented rsa-sha2-256. This includes many SSH libraries, like paramiko and mina, which other software uses to build the SSH/GIT server functionality.

These libraries have released newer versions which supports rsa-sha2-256, but as we engineers know, you can mark a thing as deprecated for a LONG TIME and people will keep using it, only upgrading once things break. :)

Here is a list of links to different software

• openssh
• paramiko
• bitbucket
• mina
• gerrit

Hope this helps to clear the confusion! Feel free to reach out with suggestions / improvements.