How can I force SSH to give an RSA key instead of ECDSA?

ssh

Upon the first time accessing a server, how can I force SSH to give me the RSA key and automatically store it if the user approves?

Presently it is offering me the ECDSA key. Because I already know the RSA key, I would prefer to see the RSA key presented at this point.

I have tried:

ssh -o RSAAuthentication=yes user@server

Unfortunately this gives me an ECDSA key and the Are you sure you want to continue connecting (yes/no)? message.


By removing the ECDSA algorithms from the HostKeyAlgorithms configuration variable.

ssh -o [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss user@server

I've simply removed all the ECDSA algorithms from the default list.

You can, of course, put that in your .ssh/config for that machine:

Host: server
    HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss

Yes, OK switch to ECDSA soon, but in the meantime try this:

ssh -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5 [email protected]

Don't use RSA since ECDSA is the new default.

On the server do this: ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub and record that number.

On the client you can SSH to the host and if and when you see that same number, you can answer the prompt Are you sure you want to continue connecting (yes/no)? affirmatively. Then the ECDSA key will get recorded on the client for future use.


I just added this line

HostKeyAlgorithms ssh-rsa

to 

/etc/ssh/sshd_conf

and it's working fine in this version.

OpenSSH_7.7p2 ubuntu-4ubuntu2.2

Just to improve tumbleweed's answer which has a dead link in it for finding the old list of algorithms.

First decide on a list of algorithms. To find the old list, use ssh -vv:

ssh -vv somehost

And look for the 2 lines like "host key algorithms: ..." where the first appears to be the server's offer, and the 2nd is the client's. Or to pick out those 2 lines automatically, try this (and to exit hit ctrl+d):

ssh -vv somehost 2>&1 | grep "host key algorithms:"

Now filter it down... you should remove all the dss/dsa ones since they are long obsolete, and you also wanted to remove ecdsa (as do I), so for example if you had:

[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

You should end up with:

[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

Now edit your config. For your own config:

vim ~/.ssh/config

For the system wide config:

sudo vim /etc/ssh/ssh_config

Add a new line, either globally:

HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

or for a specific host (not ideal for server wide config):

Host somehost
    HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

Instead of the list I entered, paste the list you derived from the ssh -vv output, not incluing the "host key algorithms:" part.

Related

bash doesn't keep history
How to make "Search on Google" available in selected text's context menu in gnome-terminal?
Ubuntu: Xfce or Lxde? [duplicate]
How do I solve a "server version mismatch" with pg_dump when I need BOTH PostgreSQL servers installed?
How to tell if my system is "multiarch"?
How to make dock background 80% transparent in Ubuntu 19.04
Setup ubuntu server on Raspberry Pi 4 without keyboard
How do you install CUDA 11 on Ubuntu 20.10 and verify the installation
Open-source alternative to Adobe InDesign
Email threads by subject in Thunderbird (just as in Gmail)
Switch from NVidia to internal Intel HD graphics - OpenGL does not work
Is there a congrats ubuntu page?