Displaying 20 results from an estimated 73 matches for "hostkeyalgorithms".
2020 Feb 06
3
Call for testing: OpenSSH 8.2
...nSSH 8.2p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a feature release.
>
> > * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
> This actually affects me: github.com has very limited HostKeyAlgorithms
> advertised and my attempts to filter acceptable algorithms are based
> around lines from `ssh -Q key` (since before the newer - support for
> filtering) so I've been re-enabling ssh-rsa for github.com, missing that
> there was another option. I think I've stopped using client...
2020 Mar 02
4
Question about host key algorithms
$ ssh -Q HostKeyAlgorithms
Unsupported query "HostKeyAlgorithms"
$ ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019
On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list at eworm.de> wrote:
> Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07:
> > When I do ssh -Q key, where ssh is...
2020 Mar 02
3
Question about host key algorithms
...6
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-rsa-cert-v01 at openssh.com
ssh-dss-cert-v01 at openssh.com
ecdsa-sha2-nistp256-cert-v01 at openssh.com
ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com
The thing is, one can invoke both client and server with -o
HostKeyAlgorithms=rsa-sha2-256, or -o HostKeyAlgorithms=rsa-sha2-512, and
everything's OK.
Why is it that rsa-sha2-* are not displayed in the output above? In fact,
no option to -Q elicits them, and they are not mentioned in the OpenSSH
client and server man pages.
Is this intentional?
2016 Dec 23
5
[Bug 2650] New: UpdateHostKeys ignores RSA keys if HostKeyAlgorithms=rsa-sha2-256
https://bugzilla.mindrot.org/show_bug.cgi?id=2650
Bug ID: 2650
Summary: UpdateHostKeys ignores RSA keys if
HostKeyAlgorithms=rsa-sha2-256
Product: Portable OpenSSH
Version: 7.4p1
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: arane...
2018 May 25
5
Strange crypto choices
The defaults for HostKeyAlgorithms option are:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,
ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ssh-ed25519-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,ssh-rsa...
2020 May 03
10
[Bug 3157] New: known_hosts @cert-authority with legacy plain key entry drops incorrect set of HostKeyAlgorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=3157
Bug ID: 3157
Summary: known_hosts @cert-authority with legacy plain key
entry drops incorrect set of HostKeyAlgorithms
Product: Portable OpenSSH
Version: 8.1p1
Hardware: All
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: paullkapp at g...
2011 Jan 24
1
ECDSA and first connection; bug?
Folks,
I read the 5.7 release announcement and updated, to try out ECDSA. Most
parts worked very smoothly. The inability to create SSHFP records is
understandable, since IANA haven't allocated a code yet.
One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA.
% ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on y...
2018 May 27
2
Strange crypto choices
...is case?
>
> On Sun, May 27, 2018 at 5:09 AM, Damien Miller <djm at mindrot.org> wrote:
> > On Sat, 26 May 2018, Christian Weisgerber wrote:
> >
> >> On 2018-05-25, Yegor Ievlev <koops1997 at gmail.com> wrote:
> >>
> >> > The defaults for HostKeyAlgorithms option are: [...]
> >> > Why does OpenSSH prefer older and less secure
> >> > (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519?
> >>
> >> I asked Markus and Damien about this in the past but honestly don't
> >> remember the an...
2020 Feb 06
3
Call for testing: OpenSSH 8.2
On 2020-02-06 at 13:28 +1100, Darren Tucker wrote:
> Like this.
> --- a/sshd_config.5
> +++ b/sshd_config.5
The ssh_config.5 also has a copy of this and presumably needs the same
change, unless I've misunderstood.
-Phil
2018 May 27
2
Strange crypto choices
On Mon, 28 May 2018, Yegor Ievlev wrote:
> Can we prefer RSA to ECDSA? For example:
> HostKeyAlgorithms
> ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
not without a good reason
2003 May 07
1
Manual Page for ssh_config
Hello,
I am using OpenSSH on a FreeBSD box
(OpenSSH_3.5p1 FreeBSD-20030201, SSH protocols 1.5/2.0, OpenSSL 0x0090701f)
and I noticed that the manual page for ssh_config probably needs to be
fixed. The manual page says that the default value for the parameter
HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong,
because ssh only uses RSA-Keys in my .ssh/known_hosts if I
explicitly set the parameter with "ssh-rsa,ssh-dss". If the
parameter remains commented out, ssh doesn't use the already known
RSA key:
WARNING: RSA key found for ho...
2018 Nov 01
8
[Bug 2924] New: Order a limited host keys list in client based on the known hosts
...enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3198
--> https://bugzilla.mindrot.org/attachment.cgi?id=3198&action=edit
possibility to order host keys in client
The HostKeyAlgorithms option in the client has a difference from all
the other algorithm limiting options that should be sorted according to
the list of known hosts available. This works fine out of the box with
default negotiated list, but when one tries to limit (or extend) the
algorithm list to something else than de...
2013 May 07
2
SSH key exchange algorithm negotiation payload growth
...ding RFC 4253 sections 6.2 - 6.5 and section 7.1 as saying that implementations must be prepared to accept an arbitrary number of algorithms of each type during initial key exchange?
When I was troubleshooting this issue I tried playing around with different combinations of -o KexAlgorithms and -o HostKeyAlgorithms at the command line. Are there other configuration paramters for the other name-lists during algorithm negotiation, e.g. encryption_algorithms_client_to_server, compression_algorithms_server_to_client, etc?
Thanks in advance!
Best,
Kent
2018 May 27
2
Strange crypto choices
On Sat, 26 May 2018, Christian Weisgerber wrote:
> On 2018-05-25, Yegor Ievlev <koops1997 at gmail.com> wrote:
>
> > The defaults for HostKeyAlgorithms option are: [...]
> > Why does OpenSSH prefer older and less secure
> > (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519?
>
> I asked Markus and Damien about this in the past but honestly don't
> remember the answer. Some of the potential reasons (lack o...
2017 Jan 30
6
[Bug 2673] New: Multiple ssh keys for a given server
https://bugzilla.mindrot.org/show_bug.cgi?id=2673
Bug ID: 2673
Summary: Multiple ssh keys for a given server
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
2020 Sep 16
2
ssh-ed25519 and ecdsa-sha2-nistp256 host keys
...hanged and you have requested
strict checking.
Host key verification failed.
The relevant part of my .ssh/config file is
Host *
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_rsa
The relevant part of my /etc/ssh/ssh_config is:
Host *
AddressFamily inet
PubkeyAcceptedKeyTypes +ssh-dss
HostKeyAlgorithms +ssh-dss
- Ryan
On Tue, Sep 15, 2020 at 11:25 PM Damien Miller <djm at mindrot.org> wrote:
>
> On Tue, 15 Sep 2020, Ryan Mulligan wrote:
>
> > Hello.
> >
> > I am running OpenSSH 7.9p1 on my client and server. ssh-keyscan shows
> > the server has ssh-rsa, s...
2015 Aug 11
0
Announce: OpenSSH 7.0 released
...entication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).
New Features
------------
* ssh_config(5): add PubkeyAcceptedKeyTypes option to control which
public key types are available for user authentication.
* sshd_config(5): add HostKeyAlgorithms option to control which
public key types are offered for host authentications.
* ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
options to allow appending to the default set of algorithms
instead of replacing it. O...
2020 Feb 23
4
Question about ssh-rsa deprecation notice (was: Announce: OpenSSH 8.2 released)
I am trying to understand the details of the deprecation notice.
Because I am getting people asking me questions. And I don't know the
answer. Therefore I am pushing the boulder uphill and asking here. :-)
Damien Miller wrote:
> Future deprecation notice
> =========================
>
> It is now possible[1] to perform chosen-prefix attacks against the
> SHA-1 algorithm for
2016 Oct 26
2
[Bug 2631] New: Hostkey update and rotation - No IP entries added to known_hosts
...bugs at mindrot.org
Reporter: lkinley at gmail.com
When UpdateHostKeys=yes/ask, only hostname based entries are added to
known_hosts file when learning new hostkeys.
Shouldn't IP entries also be added?
Consider the following scenario:
User connects for the first time, specifying a HostKeyAlgorithms
setting that is not first in the default list (rsa-sha2-256 in this
case), HashKnownHosts=yes, and UpdateHostKeys=yes. Server sends key,
it gets recorded in known_hosts both under the hostname and the IP.
User authenticates and additional keys are learned and stored under
only the hostname.
A se...
2014 Apr 10
0
nistp256 preferred over ed25519
Hello,
Maybe I'm asking an already answered question, if yes I'm sorry to
bother you.
Why in default HostKeyAlgorithms settings is
ecdsa-sha2-nistp256-cert-v01 at openssh.com preferred over
ssh-ed25519-cert-v01 at openssh.com ?
For example in default settings for KexAlgorithms the
curve25519-sha256 at libssh.org is preferred over ecdh-sha2-nistp256.
Fedor
Defaults in openssh-6.6p1
HostKeyAlgorithms
ecdsa-sha...