Petr Pisar wrote: > V Fri, Mar 12, 2021 at 10:53:01AM +0100, Miroslav Suchý napsal(a): > > Do I understand it correctly that soon, I will have trouble connecting to > > > > $(grep ssh-rsa ~/.ssh/known_hosts | cut -f1 -d' ') > > > > hosts? > > Should I regenerate the ssh key there? What is the prefered crypto nowadays? > > > No. Your keys do not use SHA at all. SSH protocol when performing > authenticated key exchange can use SHA. It's a matter of SSH server and SSH > client.
To expand on this, "ssh-rsa" seems to mean two things. It's a key type, and also a signature scheme. ssh-rsa keys are still good (if they're long enough). The signature scheme ssh-rsa, on the other hand, uses SHA-1 and therefore needs to be replaced. If both client and server are OpenSSH 7.2 or later, and an ssh-rsa key is involved, then one of the newer signature schemes rsa-sha2-256 and rsa-sha2-512 will be used, and you won't have any trouble. If both client and server are OpenSSH 6.5 or later, but one is older than 7.2, then you may need an ssh-ed25519 key so that the signature scheme ssh-ed25519 can be used. At least that's how I understand it. It's very confusing, because users usually only see "ssh-rsa" as a key type, but the release notes assume that the reader knows about signature schemes in the SSH protocol. Inconsistent terminology certainly doesn't help. The release notes seem to use "signature scheme" and "signature algorithm" interchangeably, and the manual uses "host key algorithms" and "key types" when it seems to actually be talking about signature schemes. Björn Persson
pgpueXa4thwTm.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
