Ca colle pas: le serveur est en OpenSSH_9.2p1 Debian-2+deb12u3. OpenSSH 9.8p1 est dans testing, donc Debian13. Et Debian 11 a fini en OpenSSH 8.4. Ou alors ils ont fait une mise à jour 11->12 y a une semaine, et donc OpenSSH a passé la 8.8
Ceci dit, ça remarche depuis la Debian8 (OpenSSH 6.7p1-5), soit à cause de mon ticket au support soit à cause de mon post ici. Merci pour le retour en tout cas David > Le 3 sept. 2024 à 14:25, Samuel Thibault <[email protected]> a > écrit : > > Bonjour, > > David Ponzone, le mar. 03 sept. 2024 14:13:11 +0200, a ecrit: >> Est-ce quelqu’un a remarqué qu’une mise à jour récente d’OpenSSH sur Debian >> 12 (durant les 2/3 derniers mois) a littéralement torpillé les connexions >> depuis des vieux SSH (Debian 4, oui je sais, mais on fait pas toujours ce >> qu’on veut sur du legacy) et a torpillé les connexions avec auth par pubkey >> depuis Debian8 ? > > Oui, c'est documenté dans le fichier > /usr/share/doc/openssh-client/NEWS.Debian.gz > > OpenSSH 8.8 includes a number of changes that may affect existing > configurations: > > * This release disables RSA signatures using the SHA-1 hash algorithm by > default. This change has been made as the SHA-1 hash algorithm is > cryptographically broken, and it is possible to create chosen-prefix > hash collisions for <USD$50K. > > For most users, this change should be invisible and there is no need to > replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 > signatures since release 7.2 and existing ssh-rsa keys will > automatically use the stronger algorithm where possible. > > Incompatibility is more likely when connecting to older SSH > implementations that have not been upgraded or have not closely tracked > improvements in the SSH protocol. For these cases, it may be necessary > to selectively re-enable RSA/SHA1 to allow connection and/or user > authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms > options. For example, the following stanza in ~/.ssh/config will enable > RSA/SHA1 for host and user authentication for a single destination > host: > > Host old-host > HostkeyAlgorithms +ssh-rsa > PubkeyAcceptedAlgorithms +ssh-rsa > > We recommend enabling RSA/SHA1 only as a stopgap measure until legacy > implementations can be upgraded or reconfigured with another key type > (such as ECDSA or Ed25519). > > OpenSSH 9.8p1 includes a number of changes that may affect existing > configurations: > > * DSA keys, as specified in the SSH protocol, are inherently weak: they > are limited to 160-bit private keys and the SHA-1 digest. The SSH > implementation provided by the openssh-client and openssh-server > packages has disabled support for DSA keys by default since OpenSSH > 7.0p1 in 2015, released with Debian 9 ("stretch"), although it could > still be enabled using the HostKeyAlgorithms and > PubkeyAcceptedAlgorithms configuration options for host and user keys > respectively. > > The only remaining uses of DSA at this point should be connecting to > some very old devices. For all other purposes, the other key types > supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior. > > As of OpenSSH 9.8p1, DSA keys are no longer supported even with the > above configuration options. If you have a device that you can only > connect to using DSA, then you can use the ssh1 command provided by the > openssh-client-ssh1 package to do so. > > Samuel _______________________________________________ Liste de diffusion du %(real_name)s http://www.frsag.org/
