Here’s a question from Mr. Ramesh, one of our regular reader at Techglimpse. He says that his system log messages are flooded with “Deprecated option RSAAuthentication“.
I recently performed yum update on my CentOS VPS and later saw “sshd[11324]: rexec line 54: Deprecated option RSAAuthentication” messages in /var/log/messages. Why do I get this error and does that indicate any security issue?
Well, here’s the answer to Ramesh’s question.
Deprecated option RSAAuthentication
It seems like yum update has updated OpenSSH package to the latest version. Probably, a change from lower version of OpenSSH to 7.3+ and this update could be the reason behind “Deprecated option RSAAuthentication”. From OpenSSH version 7.3+, the option "RSAAuthentication" has been deprecated, as it was only supported for SSH Protocol version 1. Also you must be aware that SSH protocol version 1 suffers design flaws and that can put SSH servers vulnerable. Hence, the SSH daemon must be configured to use only SSH protocol version 2.
To do that, edit SSH configuration file and set Protocol 2 as shown below:
# vim /etc/ssh/sshd_config
Lookout for 'Protocol' and set value 2.
And now coming back to the question, RSAAuthentication is supported only for SSH Protocol version 1 and should not be used for SSH Protocol version 2. Moreover, the message “Deprecated option RSAAuthentication” clearly says that you should never be using the option for the latest version of OpenSSH.
Run the below command to check the version of OpenSSH installed on your system.
# rpm -qa |grep openssh-server openssh-server-7.4p1-13.el7_4.x86_64
If the OpenSSH version is above 7.3+, then you can safely remove the option "RSAAuthentication" from sshd_config.
# vim /etc/ssh/sshd_config
Lookout for option 'RSAAuthentication' and comment it. Similarly, you might want to disable other deprecated options such as RhostsRSAAuthentication.
Restart sshd
Check if there are any errors in sshd_config before restarting the service.
# /usr/sbin/sshd -t
# systemctl status sshd
That’s it! “Deprecated option RSAAuthentication” should vanish from your system log files.
Not solved the fail2ban error…