[jira] [Commented] (SSHD-1118) Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes

Fri, 05 Mar 2021 01:33:15 -0800 


    [ 
https://issues.apache.org/jira/browse/SSHD-1118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295902#comment-17295902
 ] 

Guillaume Nodet commented on SSHD-1118:
---------------------------------------

Right.  Though, I think clients are supposed to return an 
{{SSH_MSG_UNIMPLEMENTED}} response when they receive an unknown/unsupported 
request, so that should be quite safe even if clients do not support it.  It 
would have to be verified, but enabling extensions on the server side by 
default would be nice if that's the case.
In any case, having the ability to configure which extensions the server would 
send automatically would be required.

> Unable to connect with Fedora 33 which has dropped ssh-rsa from 
> PubkeyAcceptedKeyTypes
> --------------------------------------------------------------------------------------
>
>                 Key: SSHD-1118
>                 URL: https://issues.apache.org/jira/browse/SSHD-1118
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.4.0
>            Reporter: Ian Wienand
>            Priority: Major
>
> This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a 
> recent upgrade.  Some users using Fedora 33 started being not able to log in.
> It turns out that Fedora >=33 has dropped rsa-ssh from it's default 
> {{PubkeyAcceptedKeyTypes}} in 
> {{/etc/crypto-policies/back-ends/openssh.config}}.  You either have to modify 
> your policy globally to "legacy" with "update-crypto-policies" or manually 
> set {{PubkeyAcceptedKeyTypes=ssh-rsa}} for failing servers.
> I understand that {{server-sig-algs}} support isn't fully implemented in mina 
> sshd as yet, so the client will not be seeing the negotiation list.
> However, it seems rsa-sha2-256/512 are supported?  It seems like forcing this 
> with {{ssh -oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does 
> not (see related gerrit bug)?
> I can provide ssh connect logs, etc. if it will help; at this point I think 
> it's mostly about understanding Fedora's change and any mina limitations so 
> we can find the best solution for users.  Although Fedora 33 users are 
> obviously a small minority now, it probably flags something other distros 
> will take up sooner or later.
>  
> Thanks!
>  
>  [1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to