On Sun, Sep 20, 2020 at 07:11:29PM +0200, Pavel Raiskup wrote: > After upgrade of one of my servers to F33, I noticed that I can not ssh to > one of my other servers running Debian 9 system (relatively freshly EOLed, > I need to do something about it). On F33 I always need to: > > $ ssh -oPubkeyAcceptedKeyTypes=+ssh-rsa user@debian-9-host > > The changes in Fedora packages led me to: > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e1 > > Which led me to: > > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 > > I'm curious about the effects of the change. It claims that RSA 2048 >= > should > stay accepted by DEFAULT, and from what I can tell the host server key seems > to > be RSA 2048 (at least that's what is generated by default on Debian 9): > > $ ssh-keygen -l -f ssh_host_rsa_key.pub > 2048 SHA256:<...> root@debian-9-host (RSA) > > Can anyone translate to me if this is really expected or a bug? Effect is > that > Fedora 33 clients can not ssh to Debian 9 hosts by default (I'm not sure about > the supported Debian 10, and the key quality there).
I thought this was actually due to openssh dropping support for 'ssh-rsa': https://www.openssh.com/txt/release-8.3 (ie, the sha-1 ssh-rsa) kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
