From d9b12933ece51ab4244c91a9f5bb75c27a974db0 Mon Sep 17 00:00:00 2001
From: castironclay <17088350+castironclay@users.noreply.github.com>
Date: Thu, 4 Nov 2021 18:07:46 -0400
Subject: [PATCH] Address algorithm not supported (#12852)

error seen on host /var/log/auth.log:
  userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]
---
 .../docs/secrets/ssh/signed-ssh-certificates.mdx     | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx b/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx
index da11fce94c..2d97b52fb4 100644
--- a/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx
+++ b/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx
@@ -475,7 +475,6 @@ forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
 ```
 
 ### Known Issues
-
 - On SELinux-enforcing systems, you may need to adjust related types so that the
   SSH daemon is able to read it. For example, adjust the signed host certificate
   to be an `sshd_key_t` type.
@@ -490,6 +489,17 @@ forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
   [OpenSSH bug 2617](https://bugzilla.mindrot.org/show_bug.cgi?id=2617) for
   details.
 
+- On some versions of SSH, you may get the following error on target host:
+
+  ```text
+  userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]
+  ```
+  Fix is to add below line to /etc/ssh/sshd_config
+  ```text
+  CASignatureAlgorithms ^ssh-rsa
+  ```
+  The ssh-rsa algorithm is no longer supported in [OpenSSH 8.2](https://www.openssh.com/txt/release-8.2)
+
 ## API
 
 The SSH secrets engine has a full HTTP API. Please see the