|Summary:||Support of HostKeyAlgorithms for sshd|
|Product:||Red Hat Enterprise Linux 7||Reporter:||Frank Büttner <bugzilla>|
|Component:||openssh||Assignee:||Jakub Jelen <jjelen>|
|Status:||CLOSED ERRATA||QA Contact:||Stefan Dordevic <sdordevi>|
|Severity:||medium||Docs Contact:||Mirek Jahoda <mjahoda>|
|Version:||7.2||CC:||jjelen, nmavrogi, pvrabec, sdordevi, szidek|
|Fixed In Version:||openssh-7.4p1-1.el7||Doc Type:||Enhancement|
Feature: The option HostKeyAlgorithms enables to select preferred host key types when connecting to remote servers. Reason: Some of the key types (DSA) are not considered secure enough and there was no possibility to disable them in runtime. Result: The feature allows to remove possibly insecure key types in runtime and prevent possible security issues.
|Last Closed:||2017-08-01 18:42:47 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1341754|
Description Frank Büttner 2016-07-28 05:49:15 UTC
Description of problem: Under openssh 6.6 it it not possible to set the server host key algorithms. Version-Release number of selected component (if applicable): openssh-server-6.6.1p1-25.el7_2.x86_64 How reproducible: Every time Steps to Reproduce: 1. add HostKeyAlgorithms to the sshd config file 2. restart sshd Actual results: /etc/ssh/sshd_config: line 157: Bad configuration option: HostKeyAlgorithms Expected results: That this is known Additional info: The option was introduced with OpenSSH 7.0. See: http://www.openssh.com/txt/release-7.0
Comment 1 Jakub Jelen 2016-07-28 07:44:24 UTC
Hello Frank, Thank you for taking the time to enter a bug report with us. We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain it receives the proper attention and prioritization to assure a timely resolution. For information on how to contact the Red Hat production support team, please visit: https://access.redhat.com/support/
Comment 3 Jakub Jelen 2016-09-06 09:59:43 UTC
This can be resolved by rebase to upstream openssh, or by backporting several patches: https://github.com/openssh/openssh-portable/commit/3a1638d (change) https://github.com/openssh/openssh-portable/commit/6310f60 (fixes) https://github.com/openssh/openssh-portable/commit/60a9247 (fixes) https://github.com/openssh/openssh-portable/commit/5bf0933 (test cases modifications) This change is also deprecating DSA keys from the server and client side, which we should not break, unless we have a good reason to and it is well documented (in either case).
Comment 7 Jakub Jelen 2017-05-26 09:47:47 UTC
This is expected behavior as described in upstream mailing list thread: http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-April/035927.html In short, the extension is still a draft and there is no reasonable way to "overwrite" the standard ssh-rsa with this extension. At some point, we will certainly want to address this issue and do not use SHA1 altogether, but so far there is no way how to do that (mainly because the SHA2 hashes are extensions to the standard ssh-rsa).
Comment 9 errata-xmlrpc 2017-08-01 18:42:47 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2029