kevin martin
2024-Sep-09 16:07 UTC
OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
Lol! Our Security team sent out new policies that dictated turning off ssh-rsa, so *we did. turns out our Security Team doesn't necessarily follow their own dictates, so here we are. Our Linux team says that the correct way to turn off ssh-rsa is via the crypto policies, not via direct manipulation of the /etc/ssh/ssh_config, and I guess that's probably the absolute best way to do so, but then I have this situation to deal with. I like the idea of leaving crypto policies defaulted, updating the ssh_config at the system level to disable ssh-rsa, and then overriding in my local .ssh/config file. probably the only way I'll get this to work and still technically follow Security team rules. Thanks for the information. --- Regards, Kevin Martin On Mon, Sep 9, 2024 at 10:41?AM Jan Schermer <jan at schermer.cz> wrote:> The crypto policies are system-wide to disallow any software (using system > crypto) from using unsafe/weak/unwanted algorithm, which is exactly what > you are trying to do. > > You?ll need to allow that system-wide by default, unfortunately. Luckily > you can then disallow ssh-rsa in ssh-config by default and only enable it > for a few hosts. > > The correct solution is to throw whatever requires it to the garbage and > never buy from that vendor again. > > Jan > > > > On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote: > > > > I'm using the most up to date version of openssh on OL8 that I can patch > to > > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of > > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've > > tried adding > > > > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > > or > > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > > > to my .ssh/config and still receive an error message of: > > > > agent key RSA-CERT SHA256:..... returned incorrect signature type > > sign_and_send_pubkey: no mutual signature supported > > > > if I update-crpyto-policies to the DEFAULT policy, the connectivity works > > correctly. I'm a bit confused as to why openssh isn't using my personal > > config settings to override the system wide settings or am I not setting > > the necessary or is this by design? > > > > --- > > > > > > Regards, > > > > Kevin Martin > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >
kevin martin
2024-Sep-09 16:18 UTC
OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
well nuts. that, in fact, doesn't work. it appears that, based on an strace, the order of reading for policies is personal .ssh/config, /etc/ssh/ssh_config (and conf.d files), then crypto policies, with the more restrictive policy being used. --- Regards, Kevin Martin On Mon, Sep 9, 2024 at 11:07?AM kevin martin <ktmdms at gmail.com> wrote:> Lol! Our Security team sent out new policies that dictated turning off > ssh-rsa, so *we did. turns out our Security Team doesn't necessarily > follow their own dictates, so here we are. Our Linux team says that the > correct way to turn off ssh-rsa is via the crypto policies, not via direct > manipulation of the /etc/ssh/ssh_config, and I guess that's probably the > absolute best way to do so, but then I have this situation to deal with. I > like the idea of leaving crypto policies defaulted, updating the ssh_config > at the system level to disable ssh-rsa, and then overriding in my local > .ssh/config file. probably the only way I'll get this to work and still > technically follow Security team rules. Thanks for the information. > > --- > > > Regards, > > Kevin Martin > > > On Mon, Sep 9, 2024 at 10:41?AM Jan Schermer <jan at schermer.cz> wrote: > >> The crypto policies are system-wide to disallow any software (using >> system crypto) from using unsafe/weak/unwanted algorithm, which is exactly >> what you are trying to do. >> >> You?ll need to allow that system-wide by default, unfortunately. Luckily >> you can then disallow ssh-rsa in ssh-config by default and only enable it >> for a few hosts. >> >> The correct solution is to throw whatever requires it to the garbage and >> never buy from that vendor again. >> >> Jan >> >> >> > On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote: >> > >> > I'm using the most up to date version of openssh on OL8 that I can >> patch to >> > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of >> > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've >> > tried adding >> > >> > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com >> > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com >> > or >> > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa >> > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa >> > >> > to my .ssh/config and still receive an error message of: >> > >> > agent key RSA-CERT SHA256:..... returned incorrect signature type >> > sign_and_send_pubkey: no mutual signature supported >> > >> > if I update-crpyto-policies to the DEFAULT policy, the connectivity >> works >> > correctly. I'm a bit confused as to why openssh isn't using my personal >> > config settings to override the system wide settings or am I not setting >> > the necessary or is this by design? >> > >> > --- >> > >> > >> > Regards, >> > >> > Kevin Martin >> > _______________________________________________ >> > openssh-unix-dev mailing list >> > openssh-unix-dev at mindrot.org >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >>
Possibly Parallel Threads
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file