Eugene Grosbein
2021-Sep-11 22:09 UTC
Important note for future FreeBSD base system OpenSSH update
10.09.2021 1:01, Ed Maste wrote:> To check whether a server is using the weak ssh-rsa public key > algorithm, for host authentication, try to connect to it after > removing the ssh-rsa algorithm from ssh(1)'s allowed list: > > ssh -oHostKeyAlgorithms=-ssh-rsa user at host > > If the host key verification fails and no other supported host key > types are available, the server software on that host should be > upgraded.I have some telco equipment (E1/SS7) based on custom Linux distro built by a vendor: $ ssh -oHostKeyAlgorithms=-ssh-rsa user at host Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa I've already asked the vendor for possible upgrade and was told that no upgrade will be available. Will I be able to use ssh_config and following command to re-enable the feature after planned import? HostKeyAlgorithms ssh-rsa
Mathieu Arnold
2021-Sep-20 19:21 UTC
Important note for future FreeBSD base system OpenSSH update
On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote:> 10.09.2021 1:01, Ed Maste wrote: > > > To check whether a server is using the weak ssh-rsa public key > > algorithm, for host authentication, try to connect to it after > > removing the ssh-rsa algorithm from ssh(1)'s allowed list: > > > > ssh -oHostKeyAlgorithms=-ssh-rsa user at host > > > > If the host key verification fails and no other supported host key > > types are available, the server software on that host should be > > upgraded. > > I have some telco equipment (E1/SS7) based on custom Linux distro built by a vendor: > > $ ssh -oHostKeyAlgorithms=-ssh-rsa user at host > Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa > > I've already asked the vendor for possible upgrade and was told that no upgrade will be available. > > Will I be able to use ssh_config and following command to re-enable the feature after planned import? > > HostKeyAlgorithms ssh-rsaSame here, I have many telco and even switches and routers that only support ssh-rsa, will it be possible to use a ssh_config knob to enable it back? -- Mathieu Arnold -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210920/63f7aa70/attachment.sig>