Passwordless SSH to Legacy Servers (ssh-rsa only)
This guide shows how to set up SSH key login for older servers that only support ssh-rsa, and how to configure your client so you don’t get blocked by modern SSH defaults.
🧩 When you need this
- Server only offers:
ssh-rsa/ssh-dss - You see errors like:
no matching host key type found
Or password login works, but key login doesn’t
✅ 1) Generate a compatible key (RSA)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_legacy- Press Enter to accept defaults
- Optional: set a passphrase
📤 2) Copy the key to the server (with compatibility flags)
Use these flags because modern SSH blocks ssh-rsa by default.
ssh-copy-id -i ~/.ssh/id_rsa_legacy.pub \
-o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedKeyTypes=+ssh-rsa \
root@<SERVER_IP>🔹 If the server uses a custom port:
ssh-copy-id -i ~/.ssh/id_rsa_legacy.pub \
-o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedKeyTypes=+ssh-rsa \
-p <PORT> \
root@<SERVER_IP>You will be asked for the password once.
Expected output:
Number of key(s) added: 1⚙️ 3) Configure SSH client (~/.ssh/config)
Edit:
nano ~/.ssh/config#Add an entry per server:
Host my-server
HostName <SERVER_IP_OR_HOSTNAME>
Port <PORT> # omit or set to 22 if default
User root
IdentityFile ~/.ssh/id_rsa_legacy
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
#Example with default port (22)
Host my-server
HostName <SERVER_IP>
User root
IdentityFile ~/.ssh/id_rsa_legacy
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
#Example with custom port
Host my-server-alt
HostName <SERVER_IP>
Port <PORT>
User root
IdentityFile ~/.ssh/id_rsa_legacy
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa4) Test
ssh my-serverStill asking for password?
ssh -vvv my-server
#Permissions on server
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys