When ssh-rsa has been selected as "Certificate Signing Algorithm" for a project, users will get the following error while connecting to RedHat 9.4:

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

• Okta Advanced server Access(ASA)
• Red Hat 9.4 with ssh-rsa

The use of the SHA-1 algorithm for creating and verifying signatures is restricted in the DEFAULT cryptographic policy. If it is required to use SHA-1 for verifying existing or third-party cryptographic signatures, it can be enabled by applying the SHA1 subpolicy, which RHEL 9 provides by default. Note that it weakens the security of the system.

It is recommended to move away from ssh-rsa due to it being deprecated. A warning message will also be displayed starting with version 1.72.1 when users try to sign in to an Advanced Server Access project that uses a deprecated ssh-rsa algorithm in its configuration.

• Add the following directive to the server's /etc/ssh/sshd_config and restart sshd:

CASignatureAlgorithms +ssh-rsa

• Run the following command on the Red Hat server and reboot the server:

update-crypto-policies --set DEFAULT:SHA1

If no legacy server is enrolled in the project the certificate signing algorithm should be switched to ssh-ed25519 using the steps below:

1. Log in to Okta Advanced Server Access dashboard.
2. Go to Projects > [project] > Actions > Edit > SSH Certificate Signature Algorithm.
3. In the dropdown menu, choose "ssh-ed25519" and click Submit.