openssh unix dev - Sep 2024 - OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file

The crypto policies are system-wide to disallow any software (using system
crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are
trying to do.

You?ll need to allow that system-wide by default, unfortunately. Luckily you can
then disallow ssh-rsa in ssh-config by default and only enable it for a few
hosts.

The correct solution is to throw whatever requires it to the garbage and never
buy from that vendor again.

Jan

> On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote:
> 
> I'm using the most up to date version of openssh on OL8 that I can
patch to
> (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use
of
> ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. 
I've
> tried adding
> 
> HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> or
> HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> 
> to my .ssh/config and still receive an error message of:
> 
> agent key RSA-CERT SHA256:..... returned incorrect signature type
> sign_and_send_pubkey: no mutual signature supported
> 
> if I update-crpyto-policies to the DEFAULT policy, the connectivity works
> correctly.  I'm a bit confused as to why openssh isn't using my
personal
> config settings to override the system wide settings or am I not setting
> the necessary or is this by design?
> 
> ---
> 
> 
> Regards,
> 
> Kevin Martin
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Lol!  Our Security team sent out new policies that dictated turning off
ssh-rsa, so *we did.  turns out our Security Team doesn't necessarily
follow their own dictates, so here we are.  Our Linux team says that the
correct way to turn off ssh-rsa is via the crypto policies, not via direct
manipulation of the /etc/ssh/ssh_config, and I guess that's probably the
absolute best way to do so, but then I have this situation to deal with.  I
like the idea of leaving crypto policies defaulted, updating the ssh_config
at the system level to disable ssh-rsa, and then overriding in my local
.ssh/config file.  probably the only way I'll get this to work and still
technically follow Security team rules.   Thanks for the information.

---


Regards,

Kevin Martin


On Mon, Sep 9, 2024 at 10:41?AM Jan Schermer <jan at schermer.cz> wrote:
> The crypto policies are system-wide to disallow any software (using system
> crypto) from using unsafe/weak/unwanted algorithm, which is exactly what
> you are trying to do.
>
> You?ll need to allow that system-wide by default, unfortunately. Luckily
> you can then disallow ssh-rsa in ssh-config by default and only enable it
> for a few hosts.
>
> The correct solution is to throw whatever requires it to the garbage and
> never buy from that vendor again.
>
> Jan
>
>
> > On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com>
wrote:
> >
> > I'm using the most up to date version of openssh on OL8 that I can
patch
> to
> > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the
use of
> > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. 
I've
> > tried adding
> >
> > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> > or
> > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> >
> > to my .ssh/config and still receive an error message of:
> >
> > agent key RSA-CERT SHA256:..... returned incorrect signature type
> > sign_and_send_pubkey: no mutual signature supported
> >
> > if I update-crpyto-policies to the DEFAULT policy, the connectivity
works
> > correctly.  I'm a bit confused as to why openssh isn't using
my personal
> > config settings to override the system wide settings or am I not
setting
> > the necessary or is this by design?
> >
> > ---
> >
> >
> > Regards,
> >
> > Kevin Martin
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

Hi,

On Mon, Sep 09, 2024 at 05:41:42PM +0200, Jan Schermer
wrote:
> The correct solution is to throw whatever requires it to the garbage and
never buy from that vendor again.
As nice as this sounds, the selection of possible algorithms on the
(usually "internal network only") management interface is waaaaay low
on the priority list when shopping for a $50k router...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at
greenie.muc.de