Karaf SSH connection failure on RHEL 9 due to disabled ssh-rsa (SHA-1)

Question

On systems such as RHEL 9, the system-wide crypto policies block certain encryption algorithms by default (notably ssh-rsa, which relies on SHA-1). When attempting to connect to the Karaf SSH console, this restriction can prevent negotiation and result in connection errors.

When trying to connect to the Karaf SSH console, you may see errors similar to:

ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 8101: error in libcrypto

Answer

The issue occurs because the Karaf SSH server is configured to use ssh-rsa keys, which are no longer accepted by default on RHEL 9.

To resolve the problem:

1. Restrict access to the Karaf console to localhost
   Edit digital-factory-data/karaf/etc/org.apache.karaf.shell.cfg and ensure the following is set:

   karaf.remoteShellHost = 127.0.0.1
   karaf.remoteShellPort = 8101

2. Switch the host key algorithm to ECDSA
   Still in the same configuration file, configure:

   keySize = 256
   algorithm = EC

3. Remove old RSA keys

   rm -f digital-factory-data/karaf/etc/host.key 
   rm -f digital-factory-data/karaf/etc/host.key.pub

   Karaf will generate a new ECDSA P-256 host key

You should now be able to connect with a standard command, without any special client options:

ssh -p 8101 root@127.0.0.1

This change ensures compatibility with modern cryptographic policies (such as those on RHEL 9) without having to weaken the system-wide crypto settings.

Always keep the Karaf SSH console restricted to 127.0.0.1 for security reasons.