On 2021-09-28 at 07:32:05, Bryan Turner wrote: > Ultimately this isn't a Git issue; it's an SSH issue. My guess would > be that upgrading to OpenSSH 8.8 picks up the change to stop using RSA > signatures using SHA-1 hashes by default.[1] > > You can update your ~/.ssh/config to add these lines to revert that > and allow using those keys again: > Host old-host > HostkeyAlgorithms +ssh-rsa > PubkeyAcceptedAlgorithms +ssh-rsa I should point out that these algorithms are disabled by default because they are a security risk. This has been announced for a long time now in OpenSSH and everyone should have either switched key types or enabled RSA with SHA-2 or both. > With that said, though, if possible a better solution is to generate > new SSH keys using ECDSA, Ed25519 or another stronger signature and > switch to those. You also need to contact the party operating the server to which you're trying to push in this case, since it's ultimately the fact that they don't support RSA with SHA-2 that's the problem. There are a couple different providers (in my testing just this second, I found Bitbucket and Azure DevOps) who are still offering only the ssh-rsa host keys (possibly with ssh-dss as well) and not offering the rsa-sha2-256 and rsa-sha2-512 algorithms, and only the server operator can fix those. If the server operator adds support for RSA with SHA-2, then OpenSSH 8.8 will work just fine. But otherwise, this will continue to be broken out of the box. But as for client keys, I do strongly recommend Ed25519 in all cases. If you have the misfortune of having to use a FIPS-compliant environment (which I don't recommend in any case), then use RSA with SHA-2. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
