Default SSH server configuration - Amazon Linux 2023

Default SSH server configuration

If you have SSH clients from several years ago, you might see an error when you connect to an instance. If the error tells you there's no matching host key type found, update your SSH host key to troubleshoot this issue.

Default disabling of ssh-rsa signatures

AL2023 includes a default configuration that disables the legacy ssh-rsa host key algorithm and generates a reduced set of host keys. Clients must support the ssh-ed25519 or the ecdsa-sha2-nistp256 host key algorithm.

The default configuration accepts any of these key exchange algorithms:

  • curve25519-sha256

  • curve25519-sha256@libssh.org

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

  • diffie-hellman-group-exchange-sha256

  • diffie-hellman-group14-sha256

  • diffie-hellman-group16-sha512

  • diffie-hellman-group18-sha512

By default, AL2023 generates ed25519 and ECDSA host keys. Clients support either the ssh-ed25519 or the ecdsa-sha2-nistp256 host key algorithm. When you connect by SSH to an instance, you must use a client that supports a compatible algorithm, such as ssh-ed25519 or ecdsa-sha2-nistp256. If you need to use other key types, override the list of generated keys with a cloud-config fragment in user-data.

In the following example, cloud-config generates a rsa host key with the ecdsa and ed25519 keys.

#cloud-config ssh_genkeytypes: - ed25519 - ecdsa - rsa

If you use an RSA key pair for public key authentication, your SSH client must support a rsa-sha2-256 or rsa-sha2-512 signature. If you're using an incompatible client and can't upgrade, re-enable ssh-rsa support on your instance. To re-enable ssh-rsa support, activate the LEGACY system crypto policy using the following commands.

$ sudo dnf install crypto-policies-scripts $ sudo update-crypto-policies --set LEGACY

For more information about managing host keys, see Amazon Linux Host keys.