How can I establish a session against one-off dynos in a Shield Private Space?


Even if I registered an SSH key on Heroku, I can not connect to Shield one-off dynos. The Heroku CLI command heroku run bash shows the error like:

> There was a problem connecting to the dyno.
> Confirm that your ssh key is added to your agent by running `ssh-add`.
> Check that your ssh key has been uploaded to heroku with `heroku keys:add`.
> See


First and foremost you want to ensure that you have an updated SSH key, you can follow this KB. You may also have to allow the SSH key to be used against in ~/.ssh/config. The Heroku CLI command creates a tunnel to the Shield Private Space with its entrance at on a random port and runs ssh command to connect to the tunnel.

It seems OpenSSH 8.2 disabled ssh-rsa public key signature algorithm by default to avoid the use of the now-vulnerable SHA-1 hash algorithm. This makes it impossible to establish the SSH connection against the bastion which only supports ssh-rsa for customers who uploaded RSA keys until a pull request that enables rsa-sha2-256, rsa-sha2-512, and ssh-rsa is merged and deployed to customers' Private Spaces. Until then, we'd need to ask customers to enable ssh-rsa with adding the following to ~/.ssh/config:

Host *
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support