On 02/06/2025 21:32, Frederic Muller wrote:
Hi!
Is there something that changed in F42 making forward agent no longer
working? I'm logging in using SSH key to a VPS to which I usually log
in without any problem.
I then sudo su, but it's asking for a password.
My config is as such:
Host myhost
Hostname thatsite.com
ForwardAgent Yes
User myself
IdentityFile ~/.ssh/s1_sca
PubkeyAuthentication yes
ControlPersist 5m
I copied the old .ssh from my backup so it's all the same files and I
do manage to ssh to the server, just not sudo su.
Thank you.
Fred
Hey!
Old message to which I finally found the answer to and thought I would
share: modern OpenSSH versions completely disable old |ssh-rsa| (SHA-1)
signatures for security. However, the |pam_ssh_agent_auth| module is
trying to ask my local agent for a legacy SHA-1 signature. My local
agent sees this request, deems it insecure, and drops the connection,
leading to an "admitted failure to sign" in my server error log. Adding
|PubkeyAcceptedAlgorithms +ssh-rsa to my .ssh/config for that server
doesn't cut it (or maybe there is a better line to add?) |because the
local |ssh-agent|process runs independently and completely ignores that
file when it receives raw signing requests over a forwarded socket. The
working solution is therefore to switch over to a Ed25519 key,
completely bypassing all legacy RSA signature restrictions.
I am adding to this this comment I found here:
https://stackoverflow.com/questions/51834225/why-use-t-rsa-b-4096-with-ssh-keygen
below the 2nd answer (2nd comment). "In 2021, there is grave danger with
using ed25519 for your SSH keys". He attributes improvements in quantum
computing to support that opinion. He says, "I've switched to RSA 8192.
Support seems pretty good. |ssh-keygen -o -t rsa -a 100 -b 8192 -f
id_rsa-8192 -C "[email protected]"| The |-a 100| makes it even
harder for convential hackers to bruteforce your passphrase."
So I'll let you ponder about the comment, but using Ed25519 definitely
works!
Thank you.
Fred
--
_______________________________________________
users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new
