Lightsail ssh/rdp browser - Log in failed CLIENT_UNAUTHORIZED [769]

Evening all. Did all of the above on my Lightsail Ubuntu 22.04 instance but was STILL getting the client_unauthorized 769 error.

I'm beginning to think this may have been an issue dating back from my upgrade from 20.04 --> 22.04, but a scheduled hardware outage on my service made me take a closer look.

Did the following to get it back:

1. SSH in via Putty and went to /etc/ssh
2. Checked SSHD was running via

systemctl status sshd

3. Attempted to log in via Web Console SSH and received 769 error
4. Ran

systemctl status sshd

again found the status message: userauth_pubkey: key type ssh-rsa-cert-v01@openssh.com not in PubkeyAcceptedAlgorithms [preauth]

5. Took a backup of /etc/ssh/sshd_config using

cp -a /etc/ssh/sshd_config /etc/ssh/BACKUP.sshd_config

6. Editted sshd_config using

vi sshd_config

7. UNCOMMENTED the line saying PubkeyAuthentication yes
8. Immediately after this line added a line saying:

 PubkeyAcceptedKeyTypes ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519

9. Saved the file using

:wq

10. Restarted sshd service using: systemctl restart sshd
11. Checked it was running using systemctl status sshd
12. Attempted to log via the web console AND WAS Successful
13. Checked the status again and saw the following message: Accepted publickey for ubuntu from xx.xxx.xxx.xx port 12807 ssh2: RSA-CERT etc. etc.

I'm guessing you might have recently updated Ubuntu - I too was facing this issue and found the exact steps to fix it (comparing a lightsail instanced that was working)

Step 1) Download the default key
Step 2) Connect using a terminal app with that key
Step 3) sudo nano /etc/ssh/sshd_config
Step 4) Add Include /etc/ssh/sshd_config.d/*.conf
I put it around line 10 - there is a gap there between a bunch of commented items
Step 5) At the very bottom you should see TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub
Add CASignatureAlgorithms +ssh-rsa on the next line
Step 6) Ctrl + X to save and exit
Step 7) sudo service ssh restart

The web terminal should now work

Thank you! Downloading the default key made it so that I could log in with Putty (after converting the pem-file to pkk), and I now have access to my server again. I did follow the guide, I cannot log inn trough ssh on web, but as long as I can log in with my ssh client I'm all good :)

OpenSSH versions 8.2 and later removed ssh-rsa from the list of algorithms accepted for certificate signatures, which is needed for Lightsail's browser-based SSH feature to work. If you recently manually upgraded your instance to Ubuntu 20.04, you can re-enable browser-based SSH by adding the following line to /etc/ssh/sshd_config:

CASignatureAlgorithms +ssh-rsa

That change will have to be done using another SSH client, e.g. the ssh utility included with Linux systems or PuTTY in Windows.

The above advice only applies if you manually upgraded your instance to Ubuntu 20.04. If you initially created the instance with the Ubuntu 20.04 blueprint provided by Lightsail, you do not need to apply this fix.

Edited by: briant-aws on May 3, 2021 2:54 PM

Edited by: briant-aws on May 3, 2021 3:05 PM