Jan Schermer
2024-Sep-09 15:41 UTC
OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
The crypto policies are system-wide to disallow any software (using system crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are trying to do. You?ll need to allow that system-wide by default, unfortunately. Luckily you can then disallow ssh-rsa in ssh-config by default and only enable it for a few hosts. The correct solution is to throw whatever requires it to the garbage and never buy from that vendor again. Jan> On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote: > > I'm using the most up to date version of openssh on OL8 that I can patch to > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've > tried adding > > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > or > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > to my .ssh/config and still receive an error message of: > > agent key RSA-CERT SHA256:..... returned incorrect signature type > sign_and_send_pubkey: no mutual signature supported > > if I update-crpyto-policies to the DEFAULT policy, the connectivity works > correctly. I'm a bit confused as to why openssh isn't using my personal > config settings to override the system wide settings or am I not setting > the necessary or is this by design? > > --- > > > Regards, > > Kevin Martin > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
kevin martin
2024-Sep-09 16:07 UTC
OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
Lol! Our Security team sent out new policies that dictated turning off ssh-rsa, so *we did. turns out our Security Team doesn't necessarily follow their own dictates, so here we are. Our Linux team says that the correct way to turn off ssh-rsa is via the crypto policies, not via direct manipulation of the /etc/ssh/ssh_config, and I guess that's probably the absolute best way to do so, but then I have this situation to deal with. I like the idea of leaving crypto policies defaulted, updating the ssh_config at the system level to disable ssh-rsa, and then overriding in my local .ssh/config file. probably the only way I'll get this to work and still technically follow Security team rules. Thanks for the information. --- Regards, Kevin Martin On Mon, Sep 9, 2024 at 10:41?AM Jan Schermer <jan at schermer.cz> wrote:> The crypto policies are system-wide to disallow any software (using system > crypto) from using unsafe/weak/unwanted algorithm, which is exactly what > you are trying to do. > > You?ll need to allow that system-wide by default, unfortunately. Luckily > you can then disallow ssh-rsa in ssh-config by default and only enable it > for a few hosts. > > The correct solution is to throw whatever requires it to the garbage and > never buy from that vendor again. > > Jan > > > > On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote: > > > > I'm using the most up to date version of openssh on OL8 that I can patch > to > > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of > > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've > > tried adding > > > > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > > or > > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > > > to my .ssh/config and still receive an error message of: > > > > agent key RSA-CERT SHA256:..... returned incorrect signature type > > sign_and_send_pubkey: no mutual signature supported > > > > if I update-crpyto-policies to the DEFAULT policy, the connectivity works > > correctly. I'm a bit confused as to why openssh isn't using my personal > > config settings to override the system wide settings or am I not setting > > the necessary or is this by design? > > > > --- > > > > > > Regards, > > > > Kevin Martin > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >
Gert Doering
2024-Sep-09 17:14 UTC
OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
Hi, On Mon, Sep 09, 2024 at 05:41:42PM +0200, Jan Schermer wrote:> The correct solution is to throw whatever requires it to the garbage and never buy from that vendor again.As nice as this sounds, the selection of possible algorithms on the (usually "internal network only") management interface is waaaaay low on the priority list when shopping for a $50k router... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany gert at greenie.muc.de
Possibly Parallel Threads
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
- OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file