Summary

When you're configuring the Discovery tool or Collector with the export type SFTP_RSA, it's possible that you'll have to generate a key using the ssh-keygen command. If the algorithm isn't accepted by the target system, you could encounter an error similar to this one:

Jul 07 11:42:34 <hostname> sshd[5626]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

Environment

Discovery 3.1.2 and later

Cause

For exporting the Discovery Scan results using SFTP_RSA, you need to create the key using the ssh-keygen command. To do this, use the following:

ssh-keygen -t rsa -m PEM

Sometimes, you may encounter the following error if the algorithm isn't compatible with the target system. For example, in the given scenario, an error will be displayed if the SSH-RSA algorithm isn't supported.

Jul 07 11:42:34 <hostname> sshd[5626]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

Solution

Discovery uses the latest version of the SSH.NET library. Check the list of supported host key algorithms:

• ssh-ed25519
• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521
• ssh-rsa
• ssh-dss

So, if the ssh-rsa algorithm isn't supported, you should use any of the other supported algorithms to generate a new key. For example, you can use the following command:

ssh-keygen -t ssh-ed25519 -m PEM

Other notes

Amazon Linux 2023 (AL2023) includes a default configuration that disables the legacy ssh-rsa host key algorithm and generates a reduced set of host keys.

So, to connect to this server, you should use other keys, such as ssh-ed25519 or the ecdsa-sha2-nistp256 host key algorithm.