Unsupported public key authentication algorithm SshRsa (ssh-rsa)? Here's how to fix it.

As every good System Administrator already knows, an extremely interesting research paper published in 2023 by Keegan Ryan, Kaiwen He, George A. Sullivan, and Nadia Heninger, mathematically proved yet another weakness with RSA keys, which are often used as host keys by/for SSH/SFTP servers, or to authenticate SSH users via PKI.

For such reason, starting from Syncplify Server! v6.2.26 the ssh-rsa algorithm is no longer among the default active ones. Please understand that we have done so to protect our customers and users and ensure that we can keep the reputation we earned in the last decade as the only enterprise-grade SSH/SFTP server on the market that's never been hacked.

Yet, more often than we thought, we receive emails and support tickets informing us that some SSH/SFTP clients attempting to connect to our server software are receiving an error message like this: "Unsupported public key authentication algorithm SshRsa (ssh-rsa)". So, what to do about it?

Well, there are two roads you can follow, one that is formally and actually correct and ensures your server's safety and security, and one that works but weakens the overall safety and security of your server for every one of your users. Let's explore them both.

The correct way to fix this

The only correct way to fix this is to ditch RSA keys completely. They should appear absolutely nowhere in your server's configuration, no RSA host key, no RSA keys to authenticate your users, and no ssh-rsa host-key or PKI algorithm enabled. Then configure all of your clients to use alternative algorithms (Ed25519 is strongly recommended) when they connect to your server. Yes, it's a hassle and it requires a lot of reconfigurations of a lot of moving parts, but no effort is too big compared to the cost (legal, monetary, and material) of being hacked.

The quick-and-dirty (and insecure) way to fix this

You can, of course, keep your RSA keys (host key and user keys) and enable the ssh-rsa algorithm in your server as shown in the screenshot here below:

Please keep in mind that any change to the security algorithms of your SSH/SFTP server will only take effect after you restart your Virtual Site from the SuperAdmin UI.

WARNING: While we offer this option for your convenience, it’s important to understand that it does not provide the same level of security as our recommended approach. Syncplify cannot be held responsible for any security breaches that may occur as a result of using this option. We strongly advise selecting the secure option to protect your system, users and data.

How to be notified of new releases

Setup on Windows (GUI)

Setup on Windows (CLI)

Setup on Linux

Updating/upgrading Syncplify Server!: the general rule

Upgrading from v4/v5 to v6

How to move/migrate your software to a different machine/VM

How to recover (decrypt) old v4/v5 encrypted VFSs

High-Availability (HA) general concepts

High-Availability (HA): how to setup

Licensing and license codes: a complete overview

How to fix "Invalid OTP" error during setup

Where is the manual?

Using network shares (UNC paths) with Syncplify Server! v6+ on Windows

Using network shares (UNC paths) with Syncplify Server! v6+ on Linux

How to backup your Syncplify.me Server! v4/v5

Insecure warning in your browser? It might be OK...

Virtual File System (VFS) Encryption

Overriding permissions on folders/directories

How to change a SuperAdmin password

How to reset the SuperAdmin (SA) password in v4/v5

How to disable 2FA for a SuperAdmin account

How to auto-fix problems with the Web/REST system service

True 2FA/MFA over SSH2/SFTP via keyboard-interactive authentication and Google Authenticator

How to use the SFTP Virtual File System (VFS)

How to use the S3 Virtual File System (VFS)

How to use the Azure blob storage Virtual File System (VFS)

How to use Google cloud platform's object storage Virtual File System (VFS)

How does the block-list (Protector!) work?

Block-list, allow-list, and safe-list

Authenticating users via PKI

Customizing SFTP and FTP(E/S) greetings and banners

How to override permissions on subfolders inside the user’s Home VFS

FATAL ERROR: Connection reset by peer (could not connect to server)

Virtual File Systems (VFS) with quotas

Solved: insecure FTP data connection (TLS session resumption)

Parametric home directories (VFS)

Cannot connect: "unexpected message type 30 (expected one of [34])" reason found in log file

How to backup your Syncplify Server!'s database

Unsupported public key authentication algorithm SshRsa (ssh-rsa)? Here's how to fix it.

How to email a list of uploaded files

VFS.ImportFile and VFS.ExportFile

Preventing upload of EXE files

No, we are not affected by Log4j vulnerability (CVE-2021-44228)

How Syncplify.me Server! prevents SSHPsycho attacks

W3C log file format and UTC timestamps

Firewalls and FTP external IP address for PASV

Where do I download the old v4/v5 installers?

Why PGP is an extremely bad choice for a file server's at-rest encryption, and how to do it right

Unsupported public key authentication algorithm SshRsa (ssh-rsa)? Here's how to fix it.

The correct way to fix this

The quick-and-dirty (and insecure) way to fix this