When attempting to use SSH-RSA keys on CentOS 9 Stream, you'll encounter two distinct error phases:
# First error: Algorithm negotiation fails
debug1: send_pubkey_test: no mutual signature algorithm
# Second error: Cryptographic operation fails
debug1: identity_sign: sshkey_sign: error in libcrypto
CentOS 9 Stream ships with OpenSSH 8.7+ that disabled ssh-rsa by default due to SHA-1 vulnerabilities. The deeper libcrypto error occurs because Red Hat hardened their OpenSSL policies to reject weak cryptographic operations at the library level.
For CI systems where you control both endpoints, here's a comprehensive solution:
# 1. Create a custom SSH config file
cat << EOF > ~/.ssh/config
Host legacy-git-server
HostName git.example.com
User git
IdentityFile ~/.ssh/legacy_rsa_key
PubkeyAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa
# Required for CentOS 9's libcrypto policy
CASignatureAlgorithms ssh-rsa
EOF
# 2. Configure system-wide crypto policies (requires root)
sudo update-crypto-policies --set LEGACY
# OR for more granular control:
echo 'openssl-legacy = DEFAULT@SECLEVEL=1' | sudo tee -a /etc/crypto-policies/policies/modules/legacy.pmod
sudo update-crypto-policies --set DEFAULT:LEGACY
# 3. Verify the SSH connection
ssh -Tv legacy-git-server
For Docker containers in CI pipelines, include these in your Dockerfile:
FROM quay.io/centos/centos:stream9
RUN yum install -y openssh-clients
COPY legacy_rsa_key /root/.ssh/
RUN chmod 600 /root/.ssh/legacy_rsa_key
RUN echo -e "Host *\n CASignatureAlgorithms ssh-rsa" > /root/.ssh/config
RUN update-crypto-policies --set LEGACY
While this makes SSH-RSA work, consider these security measures:
- Restrict the legacy configuration to specific hosts
- Use separate keys for legacy systems
- Monitor for unusual access patterns
- Plan migration to ED25519 or RSA-SHA256
For temporary workarounds without system-wide changes:
ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa \
-oHostKeyAlgorithms=+ssh-rsa \
-oCASignatureAlgorithms=+ssh-rsa \
-i legacy_key git@server
CentOS 9 Stream's OpenSSH packages ship with strict crypto policies that disable SHA-1 signed RSA keys by default. This causes authentication failures when connecting to legacy systems that haven't migrated to modern key types. The error manifests in two distinct phases:
# Phase 1: Algorithm negotiation failure
debug1: send_pubkey_test: no mutual signature algorithm
# Phase 2: Libcrypto rejection after manual override
debug1: identity_sign: sshkey_sign: error in libcrypto
CentOS 9 uses update-crypto-policies to enforce FIPS-mode restrictions. Temporarily relaxing these for SSH:
sudo update-crypto-policies --set DEFAULT:SHA1
# Verify the change took effect
sudo grep -r SHA1 /etc/crypto-policies/back-ends/
This modifies system-wide OpenSSL configurations to permit SHA-1 signatures while maintaining other security constraints.
For targeted compatibility without system policy changes, create ~/.ssh/config with:
Host legacy-git.example.com
HostName git.example.com
User git
IdentityFile ~/.ssh/legacy_rsa_key
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com
CASignatureAlgorithms ssh-rsa
Test the connection with verbose output to confirm successful negotiation:
ssh -vvv -oPreferredAuthentications=publickey \
-oPasswordAuthentication=no \
git@legacy-git.example.com
Successful authentication should show:
debug1: Offering public key: ~/.ssh/legacy_rsa_key RSA SHA1:AB...12 explicit
debug1: Server accepts key: ~/.ssh/legacy_rsa_key RSA SHA1:AB...12 explicit
debug1: Authentication succeeded (publickey)
For CI containers where system policy modification isn't feasible, pre-load the modified OpenSSH configuration:
FROM quay.io/centos/centos:stream9
RUN echo -e "HostkeyAlgorithms ssh-rsa\\nPubkeyAcceptedAlgorithms +ssh-rsa" \
> /etc/ssh/ssh_config.d/legacy_rsa.conf
This provides container-level compatibility without host system modifications.