Hi, I thought I could restrict further my sshd_config regarding PubkeyAcceptedAlgorithms. I've one user where I can't use another key type than rsa. I added a `Match User whatever` and since I wasn't sure about which thingy I needed from `ssh -Q PubkeyAcceptedAlgorithms | grep rsa | grep -v cert`, I put an unrelated to algo with PubkeyAcceptedAlgorithms and checked the logs.
It said "userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]" I replaced the PubkeyAcceptedAlgorithms setting, except it still didn't work. Eventually, I tried them one by one and found out rsa-sha2-512 is the one I needed. It's unfortunate the log doesn't give the right one. I went into the code to check. In sshkey.c there is 113 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 }, 114 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 115 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 }, Since they all share "KEY_RSA", I assume there's no way to differentiate one 'subtype' vs another? (I'm using -current but I doubt it matters). Cheers, Daniel