An SSH application was created on the ZTNA portal and the SSH ceritifcate installation completed succesfully on the server, however when a user attempts to connect to the SSH server via ZTNA the connection fails with this message:

C:\Users\lambda>ssh lambda@[email protected]
    ########################################################################
    ########################################################################
    ##########                   SYMANTEC  ZTNA                   ##########
    ########################################################################
    ########################################################################
---------------------------------
Please browse to the Symantec ZTNA Application Portal to obtain the Temporary Access Token or to generate and download the SSH key.
---------------------------------
(lambda@[email protected]) Access Token:
Received disconnect from 35.241.229.232 port 22:14: The good news, you are authorized to access the application.
However, the requested application authentication failed, due to Public Key Authentication method failure on target resource.

Please contact your system administrator.

What is causing the error and how to resolve it on the server side?

Linux server with sshd.

Looking at the destination ssh server secure or auth logs (depending on the OS) we see the following:

grep "openssh" /var/log/secure

Dec 18 11:15:16 internalhostname sshd[1001234]: userauth_pubkey: key type [email protected] not in PubkeyAcceptedKeyTypes [preauth]
Dec 18 11:15:16 internalhostname sshd[1001234]: userauth_pubkey: key type [email protected] not in PubkeyAcceptedKeyTypes [preauth]

The Linux server is not setup to accept RSA key for key based authentication, which is causing it to reject the connections coming from the ZTNA connector.

To resolve the problem add this line in /etc/ssh/sshd_config.

PubkeyAcceptedAlgorithms +ssh-rsa

Afterwards, restart the sshd service to make the new settings come into effect.

$ sudo systemctl restart sshd