RSA itself is still secure. The specific "ssh-rsa" construction depends on SHA-1, which is quickly becoming less and less secure.
It is now possible to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.
RSA itself is still secure. The specific "ssh-rsa" construction depends on SHA-1, which is quickly becoming less and less secure.
The better alternatives include:
The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.
Wait, wasn't ssh-rsa the default and secure-enough encryption method till not so long ago?
RSA itself is still secure. The specific "ssh-rsa" construction depends on SHA-1, which is quickly becoming less and less secure.