Looking for a working example of sshd_config setup fille

[Robert Moskowitz]

On 8/18/25 9:21 AM, Peter Flynn wrote:
> On 18/08/2025 14:16, Colin Law wrote:
> [...]
>
>> What do I have to do after installing Ubuntu Desktop on machine A 
>> before I can ssh into machine B (assuming it already has ssh server 
>> working)?
>
> The only note I have is the one I posted earlier. On Machine B (the 
> target system), add these two lines to /etc/ssh/sshd_config
>
> PubkeyAcceptedKeyTypes +ssh-rsa
> HostkeyAlgorithms +ssh-rsa
>
> But others have warned that RSA is untrustworthy or obsolete, so I am 
> assuming that while this may work, it is not optimal, and there may be 
> some other step required on new systems.

If you have to access via an old system that MUST use RSA, then, yes 
this is what you do  Or access an old system.

Otherwise, use either ECDSA or EdDSA.  Your ssh client can gen up a key 
for either.

Pretty much all current implementations now have ECDSA safe from 
sidechannel and other attacks.
EdDSA is better over constrained networks and is my preferred ECC.

I have extensive experience with various symmetric and asymmetric 
algorithms, working in the IETF.  I refer to myself as a crypto-plumber 
and the real crypto people get a chuckle from that. My job is to take 
their work and use it.  You can see my current work in the IETF DRIP 
workgroup.  My constrained certificates are in the ICAO CP for aviation 
use over constrained networks.  I am contributing to the work there for 
authenticating GPS messaging (ADS-B auth is a bit of a food fight 
still).  So if you want opinions on various crypto I have lots of those.  ;)

Oh, I have mixed feelings on PostQuantumCrypto (PQC).  None of the 
current selections are viable for constrained networking; NIST is 
working on this.  The selected algorithms are causing a pain in the 
(well you know) wrt to the size hit on packets and what we have to do 
even for TLS over fat pipes.