Red Hat 8 (and derivatives/forks) implement a new version of the OpenSSH service. The new service deprecates support for SSH keys that leverage signing-algorithms less modern than SHA2. As such, when one attempts to login to a freshly-launched, spel-BASED VM, the administator may find that the server rejects their SSH key. In order for a key to be recognized for login purposes:
There are a couple ways to ensure a suitable key:
- Instead of using
-t rsa, use-t rsa-sha2-256or-t rsa-sha2-512when using OpenSSH'sssh-keygento generate the key3 - Use
ssh-keygenon a FIPS-enabled RHEL 8+ system to generate the key - Use AWS EC2's
Key Pairs»Create Key Pairoption in AWS commercial regions4
Depending on the SSH client, the key may silently fail to work or it may print an error. If an error is printed, it will usually be something like:
Load key "/path/to/key-file": error in libcryptoWith or without the printing of the error, the key will be disqualified and the server will request the client move on to the next-available authentication-metho (usually password).
If one is able to access the system logs, one will usually find errors similar to:
Feb 09 12:10:50 ip-0a00dc73 sshd[2939]: input_userauth_request: invalid user ec2-user [preauth]Or
Feb 09 12:10:50 ip-0a00dc73 sshd[2939]: input_userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]In the /var/log/secure logs.
Note: Keys that are rejected for login-authentication typically will not be rejected for key-forwarding. If one has configured key-forwarding, the rejected key should still show up in the output of ssh-keygen -l when executed on the remote system.