search for: hostkeyalgorithms

...nSSH 8.2p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a feature release. > > > * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These > This actually affects me: github.com has very limited HostKeyAlgorithms > advertised and my attempts to filter acceptable algorithms are based > around lines from `ssh -Q key` (since before the newer - support for > filtering) so I've been re-enabling ssh-rsa for github.com, missing that > there was another option. I think I've stopped using client...

$ ssh -Q HostKeyAlgorithms Unsupported query "HostKeyAlgorithms" $ ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019 On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list at eworm.de> wrote: > Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07: > > When I do ssh -Q key, where ssh is...

...6 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa-cert-v01 at openssh.com ssh-dss-cert-v01 at openssh.com ecdsa-sha2-nistp256-cert-v01 at openssh.com ecdsa-sha2-nistp384-cert-v01 at openssh.com ecdsa-sha2-nistp521-cert-v01 at openssh.com The thing is, one can invoke both client and server with -o HostKeyAlgorithms=rsa-sha2-256, or -o HostKeyAlgorithms=rsa-sha2-512, and everything's OK. Why is it that rsa-sha2-* are not displayed in the output above? In fact, no option to -Q elicits them, and they are not mentioned in the OpenSSH client and server man pages. Is this intentional?

https://bugzilla.mindrot.org/show_bug.cgi?id=2650 Bug ID: 2650 Summary: UpdateHostKeys ignores RSA keys if HostKeyAlgorithms=rsa-sha2-256 Product: Portable OpenSSH Version: 7.4p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: arane...

The defaults for HostKeyAlgorithms option are: ecdsa-sha2-nistp256-cert-v01 at openssh.com, ecdsa-sha2-nistp384-cert-v01 at openssh.com, ecdsa-sha2-nistp521-cert-v01 at openssh.com, ssh-ed25519-cert-v01 at openssh.com, ssh-rsa-cert-v01 at openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,ssh-rsa...

https://bugzilla.mindrot.org/show_bug.cgi?id=3725 Bug ID: 3725 Summary: Unclear error when configuring 'ed25519' as HostKeyAlgorithms Product: Portable OpenSSH Version: 9.8p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: noratrieb...

...t_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519 at openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256 at openssh.com,webauthn-sk-ecdsa-sha2-nistp256 at openssh.com> Also, using this command : ssh -o HostKeyAlgorithms=+ssh-rsa <hostname>, I am allowed to login on the machine using OpenSSH_8.4p1 Debian-2~bpo10+1 Similarly, on a Debian 12 machine where we have OpenSSH_9.2p1 Debian-2+deb12u4, OpenSSL 3.0.15 3 Sep 2024 if I run ssh -o HostKeyAlgorithms=+ssh-rsa <hostname>, I am able to login. I had add...

https://bugzilla.mindrot.org/show_bug.cgi?id=3157 Bug ID: 3157 Summary: known_hosts @cert-authority with legacy plain key entry drops incorrect set of HostKeyAlgorithms Product: Portable OpenSSH Version: 8.1p1 Hardware: All OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: paullkapp at g...

Folks, I read the 5.7 release announcement and updated, to try out ECDSA. Most parts worked very smoothly. The inability to create SSHFP records is understandable, since IANA haven't allocated a code yet. One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on y...

I'm using the most up to date version of openssh on OL8 that I can patch to (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've tried adding HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com or HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa to my .ssh/config and still receive an error message of: agent...

...is case? > > On Sun, May 27, 2018 at 5:09 AM, Damien Miller <djm at mindrot.org> wrote: > > On Sat, 26 May 2018, Christian Weisgerber wrote: > > > >> On 2018-05-25, Yegor Ievlev <koops1997 at gmail.com> wrote: > >> > >> > The defaults for HostKeyAlgorithms option are: [...] > >> > Why does OpenSSH prefer older and less secure > >> > (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519? > >> > >> I asked Markus and Damien about this in the past but honestly don't > >> remember the an...

On 2020-02-06 at 13:28 +1100, Darren Tucker wrote: > Like this. > --- a/sshd_config.5 > +++ b/sshd_config.5 The ssh_config.5 also has a copy of this and presumably needs the same change, unless I've misunderstood. -Phil

On Mon, 28 May 2018, Yegor Ievlev wrote: > Can we prefer RSA to ECDSA? For example: > HostKeyAlgorithms > ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 not without a good reason

....com> wrote: > > I'm using the most up to date version of openssh on OL8 that I can patch to > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've > tried adding > > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > or > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > to my .ssh/config and still recei...

Hello, I am using OpenSSH on a FreeBSD box (OpenSSH_3.5p1 FreeBSD-20030201, SSH protocols 1.5/2.0, OpenSSL 0x0090701f) and I noticed that the manual page for ssh_config probably needs to be fixed. The manual page says that the default value for the parameter HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong, because ssh only uses RSA-Keys in my .ssh/known_hosts if I explicitly set the parameter with "ssh-rsa,ssh-dss". If the parameter remains commented out, ssh doesn't use the already known RSA key: WARNING: RSA key found for ho...

...enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Created attachment 3198 --> https://bugzilla.mindrot.org/attachment.cgi?id=3198&action=edit possibility to order host keys in client The HostKeyAlgorithms option in the client has a difference from all the other algorithm limiting options that should be sorted according to the list of known hosts available. This works fine out of the box with default negotiated list, but when one tries to limit (or extend) the algorithm list to something else than de...

...#39;m using the most up to date version of openssh on OL8 that I can patch > to > > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of > > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've > > tried adding > > > > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com > > or > > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa > > > > to m...

...ding RFC 4253 sections 6.2 - 6.5 and section 7.1 as saying that implementations must be prepared to accept an arbitrary number of algorithms of each type during initial key exchange? When I was troubleshooting this issue I tried playing around with different combinations of -o KexAlgorithms and -o HostKeyAlgorithms at the command line. Are there other configuration paramters for the other name-lists during algorithm negotiation, e.g. encryption_algorithms_client_to_server, compression_algorithms_server_to_client, etc? Thanks in advance! Best, Kent

On Sat, 26 May 2018, Christian Weisgerber wrote: > On 2018-05-25, Yegor Ievlev <koops1997 at gmail.com> wrote: > > > The defaults for HostKeyAlgorithms option are: [...] > > Why does OpenSSH prefer older and less secure > > (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519? > > I asked Markus and Damien about this in the past but honestly don't > remember the answer. Some of the potential reasons (lack o...

https://bugzilla.mindrot.org/show_bug.cgi?id=2673 Bug ID: 2673 Summary: Multiple ssh keys for a given server Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org