openssh unix dev - Sep 2024 - OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file

Lol!  Our Security team sent out new policies that dictated turning off
ssh-rsa, so *we did.  turns out our Security Team doesn't necessarily
follow their own dictates, so here we are.  Our Linux team says that the
correct way to turn off ssh-rsa is via the crypto policies, not via direct
manipulation of the /etc/ssh/ssh_config, and I guess that's probably the
absolute best way to do so, but then I have this situation to deal with.  I
like the idea of leaving crypto policies defaulted, updating the ssh_config
at the system level to disable ssh-rsa, and then overriding in my local
.ssh/config file.  probably the only way I'll get this to work and still
technically follow Security team rules.   Thanks for the information.

---


Regards,

Kevin Martin


On Mon, Sep 9, 2024 at 10:41?AM Jan Schermer <jan at schermer.cz> wrote:
> The crypto policies are system-wide to disallow any software (using system
> crypto) from using unsafe/weak/unwanted algorithm, which is exactly what
> you are trying to do.
>
> You?ll need to allow that system-wide by default, unfortunately. Luckily
> you can then disallow ssh-rsa in ssh-config by default and only enable it
> for a few hosts.
>
> The correct solution is to throw whatever requires it to the garbage and
> never buy from that vendor again.
>
> Jan
>
>
> > On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com>
wrote:
> >
> > I'm using the most up to date version of openssh on OL8 that I can
patch
> to
> > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the
use of
> > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. 
I've
> > tried adding
> >
> > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> > or
> > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> >
> > to my .ssh/config and still receive an error message of:
> >
> > agent key RSA-CERT SHA256:..... returned incorrect signature type
> > sign_and_send_pubkey: no mutual signature supported
> >
> > if I update-crpyto-policies to the DEFAULT policy, the connectivity
works
> > correctly.  I'm a bit confused as to why openssh isn't using
my personal
> > config settings to override the system wide settings or am I not
setting
> > the necessary or is this by design?
> >
> > ---
> >
> >
> > Regards,
> >
> > Kevin Martin
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

well nuts.  that, in fact, doesn't work.  it appears that, based on an
strace, the order of reading for policies is personal .ssh/config,
/etc/ssh/ssh_config (and conf.d files), then crypto policies, with the more
restrictive policy being used.


---


Regards,

Kevin Martin


On Mon, Sep 9, 2024 at 11:07?AM kevin martin <ktmdms at gmail.com> wrote:
> Lol!  Our Security team sent out new policies that dictated turning off
> ssh-rsa, so *we did.  turns out our Security Team doesn't necessarily
> follow their own dictates, so here we are.  Our Linux team says that the
> correct way to turn off ssh-rsa is via the crypto policies, not via direct
> manipulation of the /etc/ssh/ssh_config, and I guess that's probably
the
> absolute best way to do so, but then I have this situation to deal with.  I
> like the idea of leaving crypto policies defaulted, updating the ssh_config
> at the system level to disable ssh-rsa, and then overriding in my local
> .ssh/config file.  probably the only way I'll get this to work and
still
> technically follow Security team rules.   Thanks for the information.
>
> ---
>
>
> Regards,
>
> Kevin Martin
>
>
> On Mon, Sep 9, 2024 at 10:41?AM Jan Schermer <jan at schermer.cz>
wrote:
>
>> The crypto policies are system-wide to disallow any software (using
>> system crypto) from using unsafe/weak/unwanted algorithm, which is
exactly
>> what you are trying to do.
>>
>> You?ll need to allow that system-wide by default, unfortunately.
Luckily
>> you can then disallow ssh-rsa in ssh-config by default and only enable
it
>> for a few hosts.
>>
>> The correct solution is to throw whatever requires it to the garbage
and
>> never buy from that vendor again.
>>
>> Jan
>>
>>
>> > On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com>
wrote:
>> >
>> > I'm using the most up to date version of openssh on OL8 that I
can
>> patch to
>> > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow
the use of
>> > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa.
I've
>> > tried adding
>> >
>> > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
>> > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
>> > or
>> > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
>> > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
>> >
>> > to my .ssh/config and still receive an error message of:
>> >
>> > agent key RSA-CERT SHA256:..... returned incorrect signature type
>> > sign_and_send_pubkey: no mutual signature supported
>> >
>> > if I update-crpyto-policies to the DEFAULT policy, the
connectivity
>> works
>> > correctly.  I'm a bit confused as to why openssh isn't
using my personal
>> > config settings to override the system wide settings or am I not
setting
>> > the necessary or is this by design?
>> >
>> > ---
>> >
>> >
>> > Regards,
>> >
>> > Kevin Martin
>> > _______________________________________________
>> > openssh-unix-dev mailing list
>> > openssh-unix-dev at mindrot.org
>> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>