[jira] [Commented] (SSHD-1118) Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes

Thu, 14 Jan 2021 13:27:05 -0800 


    [ 
https://issues.apache.org/jira/browse/SSHD-1118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17265319#comment-17265319
 ] 

Ian Wienand commented on SSHD-1118:
-----------------------------------

{quote}which begs the question why insist on an RSA signature{quote}

I guess we don't insist on it, but it means users have to regenerate their keys 
that were working.  Which means having to communicate to them the issue and get 
them to understand how to make and deploy them.  So it's of course better if we 
can find anything to keep existing keys working :)

> Unable to connect with Fedora 33 which has dropped ssh-rsa from 
> PubkeyAcceptedKeyTypes
> --------------------------------------------------------------------------------------
>
>                 Key: SSHD-1118
>                 URL: https://issues.apache.org/jira/browse/SSHD-1118
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.4.0
>            Reporter: Ian Wienand
>            Priority: Major
>
> This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a 
> recent upgrade.  Some users using Fedora 33 started being not able to log in.
> It turns out that Fedora >=33 has dropped rsa-ssh from it's default 
> {{PubkeyAcceptedKeyTypes}} in 
> {{/etc/crypto-policies/back-ends/openssh.config}}.  You either have to modify 
> your policy globally to "legacy" with "update-crypto-policies" or manually 
> set {{PubkeyAcceptedKeyTypes=ssh-rsa}} for failing servers.
> I understand that {{server-sig-algs}} support isn't fully implemented in mina 
> sshd as yet, so the client will not be seeing the negotiation list.
> However, it seems rsa-sha2-256/512 are supported?  It seems like forcing this 
> with {{ssh -oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does 
> not (see related gerrit bug)?
> I can provide ssh connect logs, etc. if it will help; at this point I think 
> it's mostly about understanding Fedora's change and any mina limitations so 
> we can find the best solution for users.  Although Fedora 33 users are 
> obviously a small minority now, it probably flags something other distros 
> will take up sooner or later.
>  
> Thanks!
>  
>  [1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to