Upon the first time accessing a server, how can I force SSH to give me the RSA key and automatically store it if the user approves?
Presently it is offering me the ECDSA key. Because I already know the RSA key, I would prefer to see the RSA key presented at this point.
I have tried:
ssh -o RSAAuthentication=yes user@serverUnfortunately this gives me an ECDSA key and the Are you sure you want to continue connecting (yes/no)? message.
7 Answers
By removing the ECDSA algorithms from the HostKeyAlgorithms configuration variable.
ssh -o HostKeyAlgorithms=,,,,ssh-rsa,ssh-dss user@serverI've simply removed all the ECDSA algorithms from the default list.
You can, of course, put that in your .ssh/config for that machine:
Host: server HostKeyAlgorithms ,,,,ssh-rsa,ssh-dss 1 Yes, OK switch to ECDSA soon, but in the meantime try this:
ssh -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5 2 Don't use RSA since ECDSA is the new default.
On the server do this:ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.puband record that number.
On the client you can SSH to the host and if and when you see that same number, you can answer the prompt Are you sure you want to continue connecting (yes/no)? affirmatively. Then the ECDSA key will get recorded on the client for future use.
I just added this line
HostKeyAlgorithms ssh-rsato
/etc/ssh/sshd_confand it's working fine in this version.
OpenSSH_7.7p2 ubuntu-4ubuntu2.2 Just to improve tumbleweed's answer which has a dead link in it for finding the old list of algorithms.
First decide on a list of algorithms. To find the old list, use ssh -vv:
ssh -vv somehostAnd look for the 2 lines like "host key algorithms: ..." where the first appears to be the server's offer, and the 2nd is the client's. Or to pick out those 2 lines automatically, try this (and to exit hit ctrl+d):
ssh -vv somehost 2>&1 | grep "host key algorithms:"Now filter it down... you should remove all the dss/dsa ones since they are long obsolete, and you also wanted to remove ecdsa (as do I), so for example if you had:
,,,,,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsaYou should end up with:
,,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsaNow edit your config. For your own config:
vim ~/.ssh/configFor the system wide config:
sudo vim /etc/ssh/ssh_configAdd a new line, either globally:
HostKeyAlgorithms ,,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsaor for a specific host (not ideal for server wide config):
Host somehost HostKeyAlgorithms ,,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsaInstead of the list I entered, paste the list you derived from the ssh -vv output, not incluing the "host key algorithms:" part.
some points are confusing as to is it possible to remove key algorithms from existing defaults - Highest level keys are New RSA-sha2/256/512 and ed25519 keys for best security using ssh-keygen -t ras -a -b 4096 -a 113 to gen. Legacy support is apparently reading ssh news that ssh1 will be totally gone - its 45bit and 96 bit max - dsa keys also depreciated also be eliminated. Its fixed on 128/1024 bit max found hackable. (poss NSA did that and lame/excuse as debug code left in- highly doubt that naming it heartbleed) so all high cost paying secure RSA key structures have to be reworked to support and keep higher standards going forward. set what keys you wish to use as described in /etc/ssh/sshd_config try doing 2 key auth 3 key works too ie: sshd_config "AuthenticationMethods publickey,publickey,publickey"- make sure ssh -Q kex listings match both A and B servers or desktops as example poss do a diff on their output - and make sure same key exhng algorithms match. ecdsa keys newer in production are also kina weak sugg not to use. or get - keyexchange refused partial access secure msg. Lots of good infoz just patient to search it.
1Or, if you insist on having the RSA key approach, you can type ssh-keygen -t rsa on the server that you intend to SSH to.
That should generate RSA public and private keys under '~/.ssh/id_rsa'. Now all you need to do is to copy the public key under $HOME/.ssh/authorized_keys of all those machines from which you intend to ssh to the machine on which you generated your RSA keys.
And then sit back and relax!
1