Fix SSH sign_and_send_pubkey: no mutual signature supported Error
Problem Statement
When attempting to connect to an SSH server using a terminal client (particularly common on macOS after system updates), you may encounter the error:
sign_and_send_pubkey: no mutual signature supported
user@host: Permission denied (publickey).This occurs despite:
- Using a valid private key file (
-iflag) - Having correct file permissions (
400for the key file) - Successful connections via GUI tools (like IntelliJ Remote Hosts)
The core issue is an algorithm compatibility mismatch between your SSH client and the server. The server may be rejecting older signature algorithms due to newer security standards.
Why This Happens
Modern SSH clients (OpenSSH 8.8+) disable the ssh-rsa (SHA-1) signature algorithm by default due to security vulnerabilities. If your server:
- Uses an older OpenSSH version
- Only supports
ssh-rsakeys - Or lacks modern algorithms like
rsa-sha2-256/512
...your client will refuse to establish a connection using potentially insecure methods.
Recommended Solutions
:material-check-bold: Preferred Long-term Solution: Generate a Modern Key
Create a new Ed25519 key (current security standard):
bashssh-keygen -t ed25519 -a 100Add the key to your agent:
bashssh-add ~/.ssh/id_ed25519Copy the public key to your server:
bashssh-copy-id -i ~/.ssh/id_ed25519.pub user@host
:material-alert: Temporary Compatibility Workaround
If key regeneration isn't immediately possible, enforce modern RSA SHA-2 algorithms:
Per-connection fix: Add key type parameters to your SSH command
bashssh -o PubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-512 \ -i {key.pem} user@hostHost-specific config (Add to
~/.ssh/config):ssh-configHost your-server-hostname PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512 HostKeyAlgorithms rsa-sha2-256,rsa-sha2-512
:material-alert: Last Resort: Enable Legacy Algorithms (Not Recommended)
Host legacy-server
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsaSecurity Warning
This re-enables the vulnerable SHA-1 algorithm. Use only for temporary access to non-critical systems and replace keys immediately.
Key Principles Explained
Algorithm Compatibility
The error indicates your client/server negotiation failed to find a mutually supported signature algorithm for key authentication. Modern clients disable ssh-rsa (SHA-1) due to vulnerability to collision attacks.
Best Practice Key Recommendations
| Key Type | Command | Security Level | Notes |
|---|---|---|---|
| Ed25519 | ssh-keygen -t ed25519 | High | Preferred modern standard |
| RSA 4096-bit | ssh-keygen -t rsa -b 4096 | High | Good if RSA required |
| RSA 3072-bit | ssh-keygen -t rsa -b 3072 | Medium-High | Minimum acceptable RSA in 2023 |
Verify and Maintain
Check your server's OpenSSH version:
bashssh user@host "sshd -V"Upgrade server if possible:
bash# Ubuntu/Debian sudo apt update && sudo apt upgrade openssh-server # RHEL/CentOS sudo yum update openssh-server
Persistent Workarounds Are Risky
Configuration changes like PubkeyAcceptedKeyTypes +ssh-rsa are temporary fixes that weaken security. Always prioritize updating server SSH software or regenerating keys with modern standards.
Following these solutions resolves the mutual signature error while maintaining secure SSH connections. The long-term fix (Ed25519 key regeneration) provides optimal security against emerging threats.