similar to: [Bug 3830] New: SSHD won't start

On 2020-02-05 at 20:39 -0500, Phil Pennock wrote: > On 2020-02-06 at 10:29 +1100, Damien Miller wrote: > > OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a feature release. > > > * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These > This actually affects me:

$ ssh -Q HostKeyAlgorithms Unsupported query "HostKeyAlgorithms" $ ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019 On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list at eworm.de> wrote: > Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07: > > When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the > > following output: > >

When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the following output: ssh-ed25519 ssh-ed25519-cert-v01 at openssh.com ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa-cert-v01 at openssh.com ssh-dss-cert-v01 at openssh.com ecdsa-sha2-nistp256-cert-v01 at openssh.com ecdsa-sha2-nistp384-cert-v01 at openssh.com ecdsa-sha2-nistp521-cert-v01 at

https://bugzilla.mindrot.org/show_bug.cgi?id=2650 Bug ID: 2650 Summary: UpdateHostKeys ignores RSA keys if HostKeyAlgorithms=rsa-sha2-256 Product: Portable OpenSSH Version: 7.4p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: ssh

Hello, I am using OpenSSH on a FreeBSD box (OpenSSH_3.5p1 FreeBSD-20030201, SSH protocols 1.5/2.0, OpenSSL 0x0090701f) and I noticed that the manual page for ssh_config probably needs to be fixed. The manual page says that the default value for the parameter HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong, because ssh only uses RSA-Keys in my .ssh/known_hosts if I

The defaults for HostKeyAlgorithms option are: ecdsa-sha2-nistp256-cert-v01 at openssh.com, ecdsa-sha2-nistp384-cert-v01 at openssh.com, ecdsa-sha2-nistp521-cert-v01 at openssh.com, ssh-ed25519-cert-v01 at openssh.com, ssh-rsa-cert-v01 at openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,ssh-rsa Why does OpenSSH prefer older and less secure

https://bugzilla.mindrot.org/show_bug.cgi?id=3779 Bug ID: 3779 Summary: SHA1 deprecation Product: Portable OpenSSH Version: 8.4p1 Hardware: Other OS: Linux Status: NEW Severity: trivial Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter:

I'm using the most up to date version of openssh on OL8 that I can patch to (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've tried adding HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com or HostkeyAlgorithms

Folks, I read the 5.7 release announcement and updated, to try out ECDSA. Most parts worked very smoothly. The inability to create SSHFP records is understandable, since IANA haven't allocated a code yet. One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA. % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost

there are more implications to changing key algorithms than KEX algorithms. If a change is made to the specification, then it might invalidate all the keys that are out there, this isn't the case with any other negotiated algorithm, On Sun, 27 May 2018, Yegor Ievlev wrote: > I don't think we should wait for a RFC in order to use stronger > crypto. We already prefer Curve25519 for

The crypto policies are system-wide to disallow any software (using system crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are trying to do. You?ll need to allow that system-wide by default, unfortunately. Luckily you can then disallow ssh-rsa in ssh-config by default and only enable it for a few hosts. The correct solution is to throw whatever requires it to the

On Mon, 28 May 2018, Yegor Ievlev wrote: > Can we prefer RSA to ECDSA? For example: > HostKeyAlgorithms > ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 not without a good reason

Lol! Our Security team sent out new policies that dictated turning off ssh-rsa, so *we did. turns out our Security Team doesn't necessarily follow their own dictates, so here we are. Our Linux team says that the correct way to turn off ssh-rsa is via the crypto policies, not via direct manipulation of the /etc/ssh/ssh_config, and I guess that's probably the absolute best way to do so,

Howdy- TL;DR An SSH daemon for a memory-constrained embedded platform didn't work with a recent OpenSSH client because it couldn't handle the payload size during key exchange. In general, what should SSH implementors in such limited environments do to ensure forwards compatibility with future OpenSSH releases? I am unable to SSH to any of my HP servers' iLO2 interfaces using

On Sat, 26 May 2018, Christian Weisgerber wrote: > On 2018-05-25, Yegor Ievlev <koops1997 at gmail.com> wrote: > > > The defaults for HostKeyAlgorithms option are: [...] > > Why does OpenSSH prefer older and less secure > > (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519? > > I asked Markus and Damien about this in the past but honestly

https://bugzilla.mindrot.org/show_bug.cgi?id=2924 Bug ID: 2924 Summary: Order a limited host keys list in client based on the known hosts Product: Portable OpenSSH Version: 7.7p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority:

Here you go: OpenSSH_7.9p1, OpenSSL 1.1.1d 10 Sep 2019 debug1: Reading configuration data /home/ryantm/.ssh/config debug1: /home/ryantm/.ssh/config line 4: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 13: Applying options for * debug2: resolving "{REDACTED}" port 22 debug2: ssh_connect_direct debug1: Connecting to

https://bugzilla.mindrot.org/show_bug.cgi?id=2040 Priority: P5 Bug ID: 2040 Assignee: unassigned-bugs at mindrot.org Summary: Downgrade attack vulnerability when checking SSHFP records Severity: minor Classification: Unclassified OS: All Reporter: ondrej at caletka.cz Hardware: All

https://bugzilla.mindrot.org/show_bug.cgi?id=3157 Bug ID: 3157 Summary: known_hosts @cert-authority with legacy plain key entry drops incorrect set of HostKeyAlgorithms Product: Portable OpenSSH Version: 8.1p1 Hardware: All OS: Mac OS X Status: NEW Severity: normal Priority:

On Wed, Feb 01, 2017 at 09:19:22PM +0200, Michael S. Tsirkin wrote: > On Wed, Feb 01, 2017 at 06:27:09PM +0000, Will Deacon wrote: > > On Wed, Feb 01, 2017 at 08:09:21PM +0200, Michael S. Tsirkin wrote: > > > I'd like to do that instead. It's fastboot doing the unreasonable thing > > > here and deviating from what every other legacy device without exception >