On 2021/09/07 14:40, Martijn van Duren wrote: > On Mon, 2021-08-30 at 10:08 +1000, Damien Miller wrote: > > Hi, > > > > RSA/SHA1, a.k.a the "ssh-rsa" signature type is now disabled by default > > in OpenSSH. > > > > While The SSH protocol confusingly uses overlapping names for key and > > signature algorithms, this does not stop the use of RSA keys and there > > is no need to regenerate "ssh-rsa" keys - most servers released in the > > last five years will automatically negotiate the use of RSA/SHA-256/512 > > signatures. > > > > This has been coming for a long time, but I do expect it will be > > distruptive for some people as there are likely to be some devices > > out there that cannot be upgraded to support the safer algorithms. > > > > In these cases, it is possible to selectively re-enable RSA/SHA1 > > support by specifying PubkeyAcceptedAlgorithms=+ssh-rsa in the > > ssh_config(5) or sshd_config(5) for the endpoint. > > > > Please report any problems here, to bugs@ or to openssh@ > > > > Thanks, > > Damien > > > Just did an update to the latest snapshot and this breaks connection > to one of the older hosts I still need to connect to from time to time. > > Reverting this diff fixes the issue for me. > > According to -G it should work: > > $ ssh -G -oPubkeyAcceptedAlgorithms=ssh-rsa 10.255.3.242 | grep -i > PubkeyAcceptedAlgorithms > pubkeyacceptedalgorithms ssh-rsa
-oHostKeyAlgorithms=+ssh-rsa It works, I have disabled ssh-rsa by default for ages and have set that for various cisco/procurve switches that I need to connect to.