Looking for a working example of sshd_config setup fille

Tue Aug 19 00:35:03 UTC 2025

On Mon, Aug 18, 2025 at 02:21:59PM +0100, Peter Flynn wrote:
>On 18/08/2025 14:16, Colin Law wrote:
>>What do I have to do after installing Ubuntu Desktop on machine A 
>>before I can ssh into machine B (assuming it already has ssh server 
>>working)?
>
>The only note I have is the one I posted earlier. On Machine B (the 
>target system), add these two lines to /etc/ssh/sshd_config
>
>PubkeyAcceptedKeyTypes +ssh-rsa
>HostkeyAlgorithms +ssh-rsa

I have no idea what, but something is weird about your systems, because 
this is _not_ required in general.

To test, I launched two copies of Ubuntu 24.04, and created a non-root 
user in both.  On one (the server), I installed the openssh-server 
package.  On the other (the client), I generated an RSA key and used 
ssh-copy-id to copy it to the server, initially using password 
authentication.  I was then able to use ssh to connect from the client 
to the server using public key authentication, exactly as I would 
expect.  I did not have to make any changes to the default sshd_config.

What versions of Ubuntu do you have on each end?  Is there anything else 
at all unusual about these systems?

>But others have warned that RSA is untrustworthy or obsolete,

No, it is neither untrustworthy nor obsolete.  Technical details follow, 
although most people who are just using ssh in the obvious ways should 
not need to know them.

The problem is only the SHA-1 hash algorithm used in combination with 
RSA (which is confusingly called "ssh-rsa" in SSH protocol-speak; I 
guess the original protocol authors didn't think ahead quite far 
enough).  RSA keys are fine when used with stronger hash algorithms, 
which is what the "rsa-sha2-512" and "rsa-sha2-256" signature algorithms 
mean.

This is not normally something OpenSSH users need to think about.  
Support for rsa-sha2-* was added in OpenSSH 7.2, which is in everything 
from Ubuntu 16.04 onwards.  As far as I know, to have a problem, you'd 
have to be trying to connect from OpenSSH < 7.2 (say, Ubuntu 14.04) to 
OpenSSH >= 8.8 (say, Ubuntu 22.04), or to be using something other than 
OpenSSH on the client side that hasn't been upgraded or that hasn't 
closely tracked improvements in the SSH protocol.

This is all documented in https://www.openssh.com/releasenotes.html#8.8, 
which I essentially copied into 
/usr/share/doc/openssh-client/NEWS.Debian.gz in the entry under 
1:8.8p1-1.  To the best of my knowledge, it's accurate.

-- 
Colin Watson (he/him)                              [cjwatson at ubuntu.com]