From ff5f9cbb13e9eefd8b91835e5e347d4bae46e874 Mon Sep 17 00:00:00 2001
From: devlinx9 <84996040+devlinx9@users.noreply.github.com>
Date: Thu, 25 Sep 2025 17:00:54 -0500
Subject: [PATCH] Fixed: Prefer newer rsa versions (256 and 512) before legacy
 (ssh-rsa), when the host it's added to known_hosts

---
 src/main/java/net/schmizz/sshj/transport/Proposal.java | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/main/java/net/schmizz/sshj/transport/Proposal.java b/src/main/java/net/schmizz/sshj/transport/Proposal.java
index 3a4102dd..0484c74f 100644
--- a/src/main/java/net/schmizz/sshj/transport/Proposal.java
+++ b/src/main/java/net/schmizz/sshj/transport/Proposal.java
@@ -165,6 +165,16 @@ private List<String> filterKnownHostKeyAlgorithms(List<String> configuredKeyAlgo
 
             preferredAlgorithms.addAll(otherAlgorithms);
 
+            // Reorder: ensure rsa-sha2-* come before ssh-rsa
+            if (preferredAlgorithms.contains("rsa-sha2-512") && preferredAlgorithms.contains("ssh-rsa")) {
+                preferredAlgorithms.remove("rsa-sha2-512");
+                preferredAlgorithms.add(preferredAlgorithms.indexOf("ssh-rsa"), "rsa-sha2-512");
+            }
+            if (preferredAlgorithms.contains("rsa-sha2-256") && preferredAlgorithms.contains("ssh-rsa")) {
+                preferredAlgorithms.remove("rsa-sha2-256");
+                preferredAlgorithms.add(preferredAlgorithms.indexOf("ssh-rsa"), "rsa-sha2-256");
+            }
+
             return preferredAlgorithms;
         } else {
             return configuredKeyAlgorithms;