there's no reason to permit ssh-rsa access to a machine like that, when
all the folks accessing it will almost certainly be running newer ssh
clients. The only reason ssh-rsa was required was because SunSSH was
ancient, and SunSSH is now no longer running. I have tested Debian 12,
and Debian 12 can now connect. I can add ssh-rsa if it is really needed,
but I'd like to see a reasoning before I lower the security of that
machine that far
On 1/2/2026 16:08, mirabilos via cfarm-users wrote:
Freya Fractal via cfarm-users dixit:
yeah I can add some more permissive modes to it,. gimme a bit.
You’ll need to add…
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
… to /etc/ssh/sshd_config (*BEFORE* the Match blocks),
at the very least (although this shouldn’t have been a
problem for a Debian 12 client, but others need it).
bye,
//mirabilos
PS: Corresponding ~/.ssh/config or /etc/ssh/ssh_config setup,
for those in need (too-new client with older server):
Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
_______________________________________________
cfarm-users mailing list
[email protected]
https://lists.tetaneutral.net/listinfo/cfarm-users
