I’m working with a remote Linux host running Ubuntu 24.
Following an online tutorial, I was able to successfully SSH into the remote host using a private key file from Git Bash with the following command:
$ ssh [email protected] -i .ssh/id_rsa
However, when I try using the same command and private key file in XShell, I get the error: “The selected user key is not registered on the remote host. Please try again.”
Upon checking the SSH log file /var/log/auth.log, I found the following message:
userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
This indicates that the SSH service on the remote host rejected the SSH-RSA public key signature algorithm during authentication, likely because it has been disabled in the remote host’s configuration.
The reason it worked in Git Bash but not in XShell is likely because Git Bash uses a newer version of the OpenSSH client that supports alternative signature algorithms (like rsa-sha2-256 or rsa-sha2-512). On the other hand, XShell may still rely on the ssh-rsa signature algorithm due to its default configuration or older client version, which results in the authentication failure.
Starting from OpenSSH 8.8, the ssh-rsa algorithm is considered insecure, and some server configurations (like Ubuntu 24) disable it by default. In this case, the PubkeyAcceptedAlgorithms configuration on the remote host may have disabled ssh-rsa, only accepting more secure algorithms such as rsa-sha2-256 or rsa-sha2-512.
To check my remote Linux host’s OpenSSH version, I ran:
$ sshd -V
OpenSSH_9.6p1 Ubuntu-3ubuntu13.5, OpenSSL 3.0.13 30 Jan 2024
It turned out to be OpenSSH 9.6.
This version of OpenSSH supports more secure public/private key pairs generated with the ECDSA (Elliptic Curve Digital Signature Algorithm). To fix the issue with XShell, I decided to regenerate a new key pair using the ECDSA algorithm. XShell provides a “New User Key Generation Wizard” under the “Tools (T)” menu to do this.
Alternative Solution: Allow ssh-rsa Algorithm (if the remote host allows it)
If you have control over the remote host, you can allow the ssh-rsa algorithm by modifying the SSH configuration file /etc/ssh/sshd_config on the remote host. Here’s how you can do it:
1 Open the SSH configuration file:
sudo vim /etc/ssh/sshd_config
2 Find and add (or modify) the following line to allow ssh-rsa:
PubkeyAcceptedAlgorithms +ssh-rsa
3 Restart the SSH service:
sudo systemctl restart ssh
If you’re using CentOS, restart sshd instead:
sudo systemctl restart sshd
Other Causes for the Error “The Selected User Key is Not Registered on the Remote Host” or “Server Refused the User Key”
1 Incorrect directory or file permissions: Ensure that the permissions for the .ssh directory and the authorized_keys file are set correctly:
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
Also, ensure that authorized_keys is owned by the correct user:
chown ubuntu:ubuntu .ssh/authorized_keys
2 Incorrect key: Make sure the authorized_keys file on the server contains the public key (usually ending with .pub), not the private key.
3 SSH key authentication not enabled: The configuration file /etc/ssh/sshd_config should have the following line and it should not be commented out:
PubkeyAuthentication yes
4 Username and key mismatch: If the key is in /home/debian/.ssh/ (for the debian user), but you’re trying to log in as ubuntu, authentication will fail.
5 Root login is disabled: If /etc/ssh/sshd_config has PermitRootLogin no, you won’t be able to log in as root.
6 SELinux is enabled: Run getenforce to check the status of SELinux. The status should be Permissive, not Enforcing. Temporarily disable SELinux with:
setenforce 0
To permanently disable SELinux, edit the /etc/sysconfig/selinux file and change SELINUX=enforcing to SELINUX=disabled.
7 Incorrect authorized_keys filename: If the line in /etc/ssh/sshd_config is:
# AuthorizedKeysFile .ssh/authorized_keys
but your .ssh directory contains a file named authorized_key, you should rename it to authorized_keys.
