<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
ASA Client Displays a Warning about Deprecated ssh-rsa Algorithm
Aug 29, 2025
Advanced Server Access
Overview

When an Advanced Server Access (ASA) client tries to connect to a server, the following warning prompt appears:

 

This connection uses the deprecated ssh-rsa algorithm set in project(s): <projectName>. Data sent over this connection might be insecure
Do you want to continue [y/N]?

 

Applies To
  • Advanced Server Access (ASA)
  • Client Version 1.72.1 and newer
Cause

This warning was introduced in the ASA client version 1.72.1.  It is displayed when a client attempts to connect to a server in a project that has the SSH Certificate Signature Algorithm set to ssh-rsa.

 

The ssh-rsa algorithm utilizes SHA-1 hashing, which has been deprecated and deemed insecure.

 

Below is a screenshot of the setting's location under the project details. Specifics on all the options can be found in the Create a project documentation.

SSH Certificate Signature Algorithm

Solution

To prevent the warning prompt, change the project's SSH Certificate Signature Algorithm setting from ssh-rsa to a different, more secure algorithm, such as the default ssh-ed25519:

  1. Log in to the UI for the ASA team.
  2. Select Projects on the left pane.
  3. Select the gear icon next to the project and click Edit.
  4. Under the SSH Certificate Signature Algorithm section, select a different algorithm.

The ssh-ed25519 and other algorithms are widely supported across modern operating systems. However, a target server may have an sshd configuration that limits the available signing algorithm to ssh-rsa, which would render it inaccessible from an ASA client after changing the project's algorithm from ssh-rsa.


To check which signing algorithms are allowed by the sshd configuration, run the following on the target server:

sudo sshd -T | grep -i casignaturealgorithms

If ssh-rsa is the only algorithm returned, check the sshd configuration file (/etc/ssh/sshd_config) for the line "CASignatureAlgorithms ssh-rsa".  This restricts the signing algorithm to only ssh-rsa.
Comment out this line or replace it with "CASignatureAlgorithms +ssh-rsa" if required to keep support for ssh-rsa, and restart sshd for the change to take effect.
 

Bypassing the warning prompt with an environmental variable:

  • As of ASA client version 1.73.2, the warning prompt can be bypassed by setting the environmental variable SFT_ALLOW_INSECURE_SHA1_SSH="1". 
  • With this set, the following message is displayed instead:
    This connection uses the deprecated ssh-rsa algorithm set in project(s): ssh-rsa. Data sent over this connection might be insecure. Warning ignored as SFT_ALLOW_INSECURE_SHA1_SSH is set. Continuing...
To set this for the current session:
  • Windows CMD: set SFT_ALLOW_INSECURE_SHA1_SSH="1"
  • Windows PowerShell: $env:SFT_ALLOW_INSECURE_SHA1_SSH="1"
  • Linux/macOS: SFT_ALLOW_INSECURE_SHA1_SSH="1"
 
To set it persistently, run the below and start a new session:
  • Windows (CMD and PS):  setx SFT_ALLOW_INSECURE_SHA1_SSH "1"
  • Linux/macOS: Add export SFT_ALLOW_INSECURE_SHA1_SSH "1"  to the shell user profile.

Recommended content

Still looking for help?
Loading
ASA Client Displays a Warning about Deprecated ssh-rsa Algorithm