The crypto policies are system-wide to disallow any software (using system crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are trying to do. You’ll need to allow that system-wide by default, unfortunately. Luckily you can then disallow ssh-rsa in ssh-config by default and only enable it for a few hosts. The correct solution is to throw whatever requires it to the garbage and never buy from that vendor again. Jan > On 9. 9. 2024, at 17:04, kevin martin <ktmdms@xxxxxxxxx> wrote: > > I'm using the most up to date version of openssh on OL8 that I can patch to > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've > tried adding > > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01@xxxxxxxxxxx > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01@xxxxxxxxxxx > or > HostkeyAlgorithms +ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-rsa > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-rsa > > to my .ssh/config and still receive an error message of: > > agent key RSA-CERT SHA256:..... returned incorrect signature type > sign_and_send_pubkey: no mutual signature supported > > if I update-crpyto-policies to the DEFAULT policy, the connectivity works > correctly. I'm a bit confused as to why openssh isn't using my personal > config settings to override the system wide settings or am I not setting > the necessary or is this by design? > > --- > > > Regards, > > Kevin Martin > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev