Unable to use ssh-rsa after upgrading to Fangtooth

LittleVulpix · September 25, 2025, 8:59am

All the settings are there.

It worked on Electric Eel the same way. Tried restarting ssh daemon. Tried removing and re-adding the key. Logging in with password works but obviously not ideal.

The log message is a very generic

sshd[6653]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

But it’s clearly allowed:

truenas_admin@x:~$ ssh -Q PubkeyAcceptedAlgorithms
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-dss
ssh-dss-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512
rsa-sha2-512-cert-v01@openssh.com

Any ideas?

TheColin21 · September 25, 2025, 9:22am

You tried with ssh which is the client.
Try sshd -T to see the daemon configuration.

LittleVulpix · September 25, 2025, 9:51am

Good hint. The sshd -T did not help but at least I stopped querying the wrong service.

Turns out somehow the aux parameter I’m using is added at the end of sshd_config like this:

# These are forced to be enabled with 2FA
UsePAM yes
PrintMotd no
SetEnv LC_ALL=C.UTF-8

Match User "truenas_admin"
        PasswordAuthentication yes
        ChallengeResponseAuthentication yes
Match User "ABC"
        PasswordAuthentication yes
        ChallengeResponseAuthentication yes
# These are aux params that MUST COME LAST
# in the config. User provided "Match" blocks,
# for example, need to come AFTER the UsePam
# line. Otherwise ssh service WILL NOT START.
PubkeyAcceptedAlgorithms +ssh-rsa

This causes the PubkeyAcceptedAlgorithms to be treated as a part of user ABC’s match block.

For now as a workaround I added “Match All” into the ssh service config in truenas gui, above the PubkeyAcceptedAlgorithms, which stops the match block and makes that aux parameter apply to all users. Is this a bug in how truenas creates configuration(s) ?

TheColin21 · September 25, 2025, 10:54am

Interesting. You might want to report a bug there.

LittleVulpix · September 25, 2025, 11:59am

Quick look at the JIRA and it’s already there.

https://ixsystems.atlassian.net/browse/NAS-136853

Fair enough.

Topic		Replies	Views
SSH Fails to start after 25.04.1 Update TrueNAS General SCALE	3	109	June 4, 2025
TrueNAS Scale SSH password not working for users other than admin TrueNAS General SCALE , SSH	15	1119	January 14, 2025
LDAP users cannot log in via ssh key TrueNAS General	1	42	February 20, 2026
Upgrade to 25.04.2.4 broke SSH key login TrueNAS General	1	130	October 17, 2025
SSH Login From Raspi5 to TrueNas Core Not Working With Key-Files TrueNAS General CORE , SMB	0	124	October 23, 2024

Unable to use ssh-rsa after upgrading to Fangtooth

Related topics