kevin martin
2024-Sep-09 15:04 UTC
OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
I'm using the most up to date version of openssh on OL8 that I can patch to (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've tried adding HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com or HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa to my .ssh/config and still receive an error message of: agent key RSA-CERT SHA256:..... returned incorrect signature type sign_and_send_pubkey: no mutual signature supported if I update-crpyto-policies to the DEFAULT policy, the connectivity works correctly. I'm a bit confused as to why openssh isn't using my personal config settings to override the system wide settings or am I not setting the necessary or is this by design? --- Regards, Kevin Martin
Jan Schermer
2024-Sep-09 15:41 UTC
OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
The crypto policies are system-wide to disallow any software (using system crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are trying to do. You?ll need to allow that system-wide by default, unfortunately. Luckily you can then disallow ssh-rsa in ssh-config by default and only enable it for a few hosts. The correct solution is to throw whatever requires it to the garbage and never buy from that vendor again. Jan> On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote: > > I'm using the most up to date version of openssh on OL8 that I can patch to > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've > tried adding > > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > or > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > to my .ssh/config and still receive an error message of: > > agent key RSA-CERT SHA256:..... returned incorrect signature type > sign_and_send_pubkey: no mutual signature supported > > if I update-crpyto-policies to the DEFAULT policy, the connectivity works > correctly. I'm a bit confused as to why openssh isn't using my personal > config settings to override the system wide settings or am I not setting > the necessary or is this by design? > > --- > > > Regards, > > Kevin Martin > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Seemingly Similar Threads
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file