On Sunday, September 20, 2020 8:52:21 PM CEST Kevin Fenzi wrote: > On Sun, Sep 20, 2020 at 07:11:29PM +0200, Pavel Raiskup wrote: > > After upgrade of one of my servers to F33, I noticed that I can not ssh to > > one of my other servers running Debian 9 system (relatively freshly EOLed, > > I need to do something about it). On F33 I always need to: > > > > $ ssh -oPubkeyAcceptedKeyTypes=+ssh-rsa user@debian-9-host > > > > The changes in Fedora packages led me to: > > > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e1 > > > > Which led me to: > > > > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 > > > > I'm curious about the effects of the change. It claims that RSA 2048 >= should > > stay accepted by DEFAULT, and from what I can tell the host server key seems to > > be RSA 2048 (at least that's what is generated by default on Debian 9): > > > > $ ssh-keygen -l -f ssh_host_rsa_key.pub > > 2048 SHA256:<...> root@debian-9-host (RSA) > > > > Can anyone translate to me if this is really expected or a bug? Effect is that > > Fedora 33 clients can not ssh to Debian 9 hosts by default (I'm not sure about > > the supported Debian 10, and the key quality there). > > I thought this was actually due to openssh dropping support for > 'ssh-rsa': > > https://www.openssh.com/txt/release-8.3 > > (ie, the sha-1 ssh-rsa) Well, I did: $ cd /etc/ssh $ rm ssh_host* $ ssh-keygen -N "" -t rsa-sha2-512 -b 4096 -f /etc/ssh/ssh_host_rsa_key $ dpkg-reconfigure openssh-server ... generates the remaining ECDSA and ED25519 ... New host signature detected, but I still get on F33 when trying to ssh: $ ssh -vv ... debug1: Offering public key: /home/praiskup/.ssh/id_rsa RSA SHA256:... debug1: send_pubkey_test: no mutual signature algorithm ... And still -oPubkeyAcceptedKeyTypes=+ssh-rsa helps... Does that meant that the ssh-keygen on Debian 9 is broken? How am I able to tell this is server or client problem? Pavel > kevin > _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
