Troubleshooting the “ssh: handshake failed” Error on Ubuntu 22

A Quick and Easy Solution

If you are trying to connect to a remote server using ssh and are encountering the error message

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

The issue is most likely related to the accepted algorithms. In recent versions of Ubuntu, the ssh-RSA algorithm is not enabled by default for CA signatures or public key authentication. This is because ssh-RSA is considered to be a weak authentication algorithm that is vulnerable to attacks.

ssh-RSA is a public key cryptography algorithm that is based on the RSA algorithm. It is used to authenticate ssh connections and to establish secure connections between two computers. However, ssh-RSA has been shown to be vulnerable to certain types of attacks, such as man-in-the-middle attacks and dictionary attacks, which can potentially compromise the security of the connection.

As a result, newer versions of Ubuntu and other operating systems have moved away from using ssh-rsa as the default authentication algorithm and have instead adopted stronger algorithms that are less vulnerable to attacks.

The Solution

A possible fix would be to add the following to your sshd_config file.

CASignatureAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

Ideally, you want to create a new file called ssh-authentication-algorithms.conf and place it in /etc/ssh/sshd_config.d/ directory. The SSH daemon will pick automatically pick up those new configurations after the daemon restart.

Restart the daemon using the following command:

sudo systemctl restart ssh

Retry connecting, the issue should be resolved.

Security considerations

here are some security considerations to keep in mind when allowing the ssh-rsa algorithm for CA signatures, host keys, and public key authentication.

As mentioned above, ssh-RSA is a public key cryptography algorithm based on the RSA algorithm. It is used to authenticate ssh connections and to establish secure connections between two computers. However, ssh-RSA has been shown to be vulnerable to certain types of attacks, such as man-in-the-middle attacks and dictionary attacks, which can potentially compromise the security of the connection.

As a result, it is generally not recommended to use ssh-rsa as the sole authentication algorithm for ssh connections. Instead, it is generally a good idea to use a stronger and more secure authentication algorithm, such as ecdsa-sha2-nistp256.

That being said, if you still want to allow the ssh-rsa algorithm for CA signatures, host keys, and public key authentication, there are a few things you can do to reduce the risk of security vulnerabilities:

  • Use strong passwords: Make sure that all passwords associated with the ssh-rsa algorithm are strong and resistant to guessing or cracking.
  • Use certificate-based authentication: Consider using certificate-based authentication, which requires a certificate authority (CA) to sign a certificate that is used to authenticate the client. This can provide an additional layer of security for the connection.
  • Enable two-factor authentication: Consider enabling two-factor authentication, which requires the user to provide an additional form of authentication, such as a code sent to their phone or a security token, in addition to their password.
  • Monitor for suspicious activity: Regularly monitor for suspicious activity on your ssh server, such as failed login attempts or unusual connections, and take appropriate action if necessary.

By following these best practices, you can help to reduce the risk of security vulnerabilities when using the ssh-rsa algorithm for ssh connections.

Similar Blog Posts

Stop using the AWS key and secret on your EC2 instances

Using instance profiles is a better option for authenticating access to AWS resources. An instance…