[
https://issues.apache.org/jira/browse/SSHD-1118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ian Wienand updated SSHD-1118:
------------------------------
Description:
This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a
recent upgrade. Some users using Fedora 33 started being not able to log in.
It turns out that Fedora >=33 has dropped rsa-ssh from it's default
{{PubkeyAcceptedKeyTypes}} in
{{/etc/crypto-policies/back-ends/openssh.config}}. You either have to modify
your policy globally to "legacy" with "update-crypto-policies" or manually set
{{PubkeyAcceptedKeyTypes=ssh-rsa}} for failing servers.
I understand that {{server-sig-algs}} support isn't fully implemented in mina
sshd as yet, so the client will not be seeing the negotiation list.
However, it seems rsa-sha2-256/512 are supported? It seems like forcing this
with {{ssh -oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does not
(see related gerrit bug)?
I can provide ssh connect logs, etc. if it will help; at this point I think
it's mostly about understanding Fedora's change and any mina limitations so we
can find the best solution for users. Although Fedora 33 users are obviously a
small minority now, it probably flags something other distros will take up
sooner or later.
Thanks!
[1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]
was:
This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a
recent upgrade. Some users using Fedora 33 started being not able to log in.
It turns out that Fedora >=33 has dropped rsa-ssh from it's default
PubkeyAcceptedKeyTypes in /etc/crypto-policies/back-ends/openssh.config. You
either have to modify your policy globally to "legacy" with
"update-crypto-policies" or manually set PubkeyAcceptedKeyTypes=ssh-rsa for
failing servers.
I understand that server-sig-algs support isn't fully implemented in mina sshd
as yet, so the client will not be seeing the negotiation list.
However, it seems rsa-sha2-256/512 are supported? It seems like forcing this
with {{ssh oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does not
(see related gerrit bug)?
I can provide ssh connect logs, etc. if it will help; at this point I think
it's mostly about understanding Fedora's change and any mina limitations so we
can find the best solution for users. Although Fedora 33 users are obviously a
small minority now, it probably flags something other distros will take up
sooner or later.
Thanks!
[1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]
> Unable to connect with Fedora 33 which has dropped ssh-rsa from
> PubkeyAcceptedKeyTypes
> --------------------------------------------------------------------------------------
>
> Key: SSHD-1118
> URL: https://issues.apache.org/jira/browse/SSHD-1118
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.4.0
> Reporter: Ian Wienand
> Priority: Major
>
> This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a
> recent upgrade. Some users using Fedora 33 started being not able to log in.
> It turns out that Fedora >=33 has dropped rsa-ssh from it's default
> {{PubkeyAcceptedKeyTypes}} in
> {{/etc/crypto-policies/back-ends/openssh.config}}. You either have to modify
> your policy globally to "legacy" with "update-crypto-policies" or manually
> set {{PubkeyAcceptedKeyTypes=ssh-rsa}} for failing servers.
> I understand that {{server-sig-algs}} support isn't fully implemented in mina
> sshd as yet, so the client will not be seeing the negotiation list.
> However, it seems rsa-sha2-256/512 are supported? It seems like forcing this
> with {{ssh -oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does
> not (see related gerrit bug)?
> I can provide ssh connect logs, etc. if it will help; at this point I think
> it's mostly about understanding Fedora's change and any mina limitations so
> we can find the best solution for users. Although Fedora 33 users are
> obviously a small minority now, it probably flags something other distros
> will take up sooner or later.
>
> Thanks!
>
> [1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
