well nuts. that, in fact, doesn't work. it appears that, based on an strace, the order of reading for policies is personal .ssh/config, /etc/ssh/ssh_config (and conf.d files), then crypto policies, with the more restrictive policy being used. --- Regards, Kevin Martin On Mon, Sep 9, 2024 at 11:07 AM kevin martin <ktmdms@xxxxxxxxx> wrote: > Lol! Our Security team sent out new policies that dictated turning off > ssh-rsa, so *we did. turns out our Security Team doesn't necessarily > follow their own dictates, so here we are. Our Linux team says that the > correct way to turn off ssh-rsa is via the crypto policies, not via direct > manipulation of the /etc/ssh/ssh_config, and I guess that's probably the > absolute best way to do so, but then I have this situation to deal with. I > like the idea of leaving crypto policies defaulted, updating the ssh_config > at the system level to disable ssh-rsa, and then overriding in my local > .ssh/config file. probably the only way I'll get this to work and still > technically follow Security team rules. Thanks for the information. > > --- > > > Regards, > > Kevin Martin > > > On Mon, Sep 9, 2024 at 10:41 AM Jan Schermer <jan@xxxxxxxxxxx> wrote: > >> The crypto policies are system-wide to disallow any software (using >> system crypto) from using unsafe/weak/unwanted algorithm, which is exactly >> what you are trying to do. >> >> You’ll need to allow that system-wide by default, unfortunately. Luckily >> you can then disallow ssh-rsa in ssh-config by default and only enable it >> for a few hosts. >> >> The correct solution is to throw whatever requires it to the garbage and >> never buy from that vendor again. >> >> Jan >> >> >> > On 9. 9. 2024, at 17:04, kevin martin <ktmdms@xxxxxxxxx> wrote: >> > >> > I'm using the most up to date version of openssh on OL8 that I can >> patch to >> > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of >> > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've >> > tried adding >> > >> > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01@xxxxxxxxxxx >> > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01@xxxxxxxxxxx >> > or >> > HostkeyAlgorithms +ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-rsa >> > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-rsa >> > >> > to my .ssh/config and still receive an error message of: >> > >> > agent key RSA-CERT SHA256:..... returned incorrect signature type >> > sign_and_send_pubkey: no mutual signature supported >> > >> > if I update-crpyto-policies to the DEFAULT policy, the connectivity >> works >> > correctly. I'm a bit confused as to why openssh isn't using my personal >> > config settings to override the system wide settings or am I not setting >> > the necessary or is this by design? >> > >> > --- >> > >> > >> > Regards, >> > >> > Kevin Martin >> > _______________________________________________ >> > openssh-unix-dev mailing list >> > openssh-unix-dev@xxxxxxxxxxx >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev