How can I establish a session against one-off dynos in a Shield Private Space?


Even if I registered an SSH key on Heroku, I can not connect to Shield one-off dynos. The Heroku CLI command heroku run bash shows the error like:

 ▸    There was a problem connecting to the dyno.
 ▸    Confirm that your ssh key is added to your agent by running `ssh-add`.
 ▸    Check that your ssh key has been uploaded to heroku with `heroku keys:add`.
 ▸    See


You may have to allow the SSH key to be used against in ~/.ssh/config. The Heroku CLI command creates a tunnel to the Shield Private Space with its entrance at on a random port and runs ssh command to connect to the tunnel.

It seems OpenSSH 8.2 disabled ssh-rsa public key signature algorithm by default to avoid the use of the now-vulnerable SHA-1 hash algorithm. This makes it impossible to establish the SSH connection against the bastion which only supports ssh-rsa for customers who uploaded RSA keys until a pull request that enables rsa-sha2-256, rsa-sha2-512, and ssh-rsa is merged and deployed to customers' Private Spaces. Until then, we'd need to ask customers to enable ssh-rsa with adding the following to ~/.ssh/config:

Host *
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support