Public bug reported: Description =========== Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8 https://www.openssh.com/txt/release-8.8 ``` This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1] ``` Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works. Fedora disabled SHA1/ssh-rsa by default a while ago. It's be required to support other formats like edcsa which are generally recommended. ** Affects: nova Importance: Undecided Status: New ** Summary changed: - ssh-rsa key will not be allowed in future version of openssl/ssh + ssh-rsa key is no longer allowed by recent openssh ** Description changed: Description =========== Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa. - However ssh-rsa will be disabled in upcoming openssl/openssh, and the plan is to remove it completely in the future. - For example in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works. + However ssh-rsa is no longer supported by default since openssh 8.8 + + + https://www.openssh.com/txt/release-8.8 + + ``` + + This release disables RSA signatures using the SHA-1 hash algorithm + by default. This change has been made as the SHA-1 hash algorithm is + cryptographically broken, and it is possible to create chosen-prefix + hash collisions for <USD$50K [1] + ``` + + Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works. Fedora disabled SHA1/ssh-rsa by default a while ago. It's be required to support other formats like edcsa which are generally recommended. ** Description changed: Description =========== Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa. However ssh-rsa is no longer supported by default since openssh 8.8 - https://www.openssh.com/txt/release-8.8 ``` - This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1] ``` Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works. Fedora disabled SHA1/ssh-rsa by default a while ago. It's be required to support other formats like edcsa which are generally recommended. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1962726 Title: ssh-rsa key is no longer allowed by recent openssh Status in OpenStack Compute (nova): New Bug description: Description =========== Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa. However ssh-rsa is no longer supported by default since openssh 8.8 https://www.openssh.com/txt/release-8.8 ``` This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1] ``` Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works. Fedora disabled SHA1/ssh-rsa by default a while ago. It's be required to support other formats like edcsa which are generally recommended. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1962726/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
