Re: OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



The crypto policies are system-wide to disallow any software (using system crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are trying to do.

You’ll need to allow that system-wide by default, unfortunately. Luckily you can then disallow ssh-rsa in ssh-config by default and only enable it for a few hosts.

The correct solution is to throw whatever requires it to the garbage and never buy from that vendor again.

Jan


> On 9. 9. 2024, at 17:04, kevin martin <ktmdms@xxxxxxxxx> wrote:
> 
> I'm using the most up to date version of openssh on OL8 that I can patch to
> (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of
> ssh-rsa, but apparently am connecting to a host that uses ssh-rsa.  I've
> tried adding
> 
> HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01@xxxxxxxxxxx
> PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01@xxxxxxxxxxx
> or
> HostkeyAlgorithms +ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-rsa
> PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-rsa
> 
> to my .ssh/config and still receive an error message of:
> 
> agent key RSA-CERT SHA256:..... returned incorrect signature type
> sign_and_send_pubkey: no mutual signature supported
> 
> if I update-crpyto-policies to the DEFAULT policy, the connectivity works
> correctly.  I'm a bit confused as to why openssh isn't using my personal
> config settings to override the system wide settings or am I not setting
> the necessary or is this by design?
> 
> ---
> 
> 
> Regards,
> 
> Kevin Martin
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux