Lol! Our Security team sent out new policies that dictated turning off ssh-rsa, so *we did. turns out our Security Team doesn't necessarily follow their own dictates, so here we are. Our Linux team says that the correct way to turn off ssh-rsa is via the crypto policies, not via direct manipulation of the /etc/ssh/ssh_config, and I guess that's probably the absolute best way to do so, but then I have this situation to deal with. I like the idea of leaving crypto policies defaulted, updating the ssh_config at the system level to disable ssh-rsa, and then overriding in my local .ssh/config file. probably the only way I'll get this to work and still technically follow Security team rules. Thanks for the information. --- Regards, Kevin Martin On Mon, Sep 9, 2024 at 10:41 AM Jan Schermer <jan@xxxxxxxxxxx> wrote: > The crypto policies are system-wide to disallow any software (using system > crypto) from using unsafe/weak/unwanted algorithm, which is exactly what > you are trying to do. > > You’ll need to allow that system-wide by default, unfortunately. Luckily > you can then disallow ssh-rsa in ssh-config by default and only enable it > for a few hosts. > > The correct solution is to throw whatever requires it to the garbage and > never buy from that vendor again. > > Jan > > > > On 9. 9. 2024, at 17:04, kevin martin <ktmdms@xxxxxxxxx> wrote: > > > > I'm using the most up to date version of openssh on OL8 that I can patch > to > > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of > > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've > > tried adding > > > > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01@xxxxxxxxxxx > > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01@xxxxxxxxxxx > > or > > HostkeyAlgorithms +ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-rsa > > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-rsa > > > > to my .ssh/config and still receive an error message of: > > > > agent key RSA-CERT SHA256:..... returned incorrect signature type > > sign_and_send_pubkey: no mutual signature supported > > > > if I update-crpyto-policies to the DEFAULT policy, the connectivity works > > correctly. I'm a bit confused as to why openssh isn't using my personal > > config settings to override the system wide settings or am I not setting > > the necessary or is this by design? > > > > --- > > > > > > Regards, > > > > Kevin Martin > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev@xxxxxxxxxxx > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
