DEV unstuck logo, a stick figure k runs away.

Dev Unstuck

Hetzner SSH Woes

·

Manny Adumbire

How a ghost from the Hetzner Rescue System stole my Saturday afternoon.

The Setup

Fresh Ubuntu 22.04 server on Hetzner.

You boot into Rescue Mode to fix a frozen server, then reboot expecting smooth sailing — but you can’t SSH back in using your keys.

Cranking up the verbosity (ssh -vvv), you see:

userauth_pubkey: unsupported public key algorithm: ssh-ed25519 [preauth]

Wait… what?
You’re using modern ed25519 keys, and your system reports OpenSSH 8.9. That key type should be fine.

🔍 The Symptom

Everything looks correct:

  • ✅ OpenSSH 8.9 is installed:dpkg -S $(which sshd) # openssh-server: /usr/sbin/sshd
  • ✅ Your ~/.ssh/authorized_keys has the correct ed25519 key.
  • ✅ You restarted the SSH service:sudo systemctl restart ssh

But SSH login still fails, and logs still say:

userauth_pubkey: unsupported public key algorithm: ssh-ed25519

You try RSA. Same error. You double-check your config.
You scream.

💥 The Real Problem

The running sshd wasn’t the one you installed. 😑

leftover process from Hetzner Rescue Mode was still running after reboot — and it was:

  • OpenSSH 8.2p2
  • Linked to OpenSSL 1.0.2l

That OpenSSL version is too old to support ed25519.

Even though you upgraded the package, that old sshd binary was still bound to port 22 — silently hijacking all SSH connections.

Confirm the mismatch:

/usr/sbin/sshd -V
# OpenSSH_8.2p2, OpenSSL 1.0.2l  25 May 2017

Meanwhile, your packages are correct:

dpkg -l | grep openssh
# openssh-client 1:8.9p1-3ubuntu0.13
# openssh-server 1:8.9p1-3ubuntu0.13

🧯 The Fix

Booted into Hetzner Rescue System? Here’s how to fully clean and recover:

1. Temporarily enable password login

Edit /etc/ssh/sshd_config:

- PasswordAuthentication no
+ PasswordAuthentication yes

Then set a root password:

passwd

2. Kill the rogue sshd and restart clean

sudo pkill -u root sshd
sudo mkdir -p /run/sshd
sudo systemctl restart ssh
sudo systemctl enable ssh

Tip: Force reinstall if needed, to re-link against OpenSSL 3:

apt install --reinstall openssh-server openssh-client

3. Restore secure config

Once working, disable password login again:

- PasswordAuthentication yes
+ PasswordAuthentication no

🧼 Hetzner, Please Note

The Rescue System (or the handoff back to the normal system) left behind a rogue sshd process bound to an outdated OpenSSL. This shadow binary caused hours of confusion.

A cleaner shutdown of the Rescue environment — or reaping/resolving any inherited sshd processes — would save developers hours of fruitless debugging.

☕ Was this helpful?

If this guide saved you time, say thanks with a coffee:

Buy Me a Ko-fi

In:

0 responses to “Hetzner SSH Woes”