Bug 2119694

Summary:	openssl-3.0.1-41.el9_0 does not allow ssh-rsa host keys for ssh
Product:	Red Hat Enterprise Linux 9	Reporter:	LiLiang <liali>
Component:	openssh	Assignee:	Dmitry Belyavskiy <dbelyavs>
Status:	CLOSED NOTABUG	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	medium	Docs Contact:	Jan Fiala <jafiala>
Priority:	medium
Version:	9.1	CC:	gfialova, jafiala, jjelen, tscherf
Target Milestone:	rc	Keywords:	Documentation, Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:	.Minimal RSA key bit length option in OpenSSH Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH servers and clients. To define the minimal RSA key length, use the new `RSAMinSize` option in the `/etc/ssh/sshd_config` file for OpenSSH servers, and in the `/etc/ssh/ssh_config` file for OpenSSH clients.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-09-08 12:55:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2091421

Description LiLiang 2022-08-19 08:01:42 UTC

Description of problem:
Using recent distro(RHEL-9.1.0-20220817.6), ssh to our switches always fail with below error:
# ssh redhat.88.10
Unable to negotiate with 10.73.88.10 port 22: no matching host key type found. Their offer: ssh-rsa

#update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

# ssh redhat.88.10
Bad server host key: Invalid key length

Using distro RHEL-9.1.0-20220810.1, this issue doesn't happen.
# ssh redhat.88.10
Unable to negotiate with 10.73.88.10 port 22: no matching host key type found. Their offer: ssh-rsa

# update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

# ssh redhat.88.10
The authenticity of host '10.73.88.10 (10.73.88.10)' can't be established.
RSA key fingerprint is SHA256:+34HF3P+jlb6h3PwhTWxO+2xKrcAK4mb93n51SeKuqQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

"update-crypto-policies --set LEGACY" is a workaround suggested by https://bugzilla.redhat.com/show_bug.cgi?id=2060232#c9, but it doesn't work with recent distro(RHEL-9.1.0-20220817.6).

Version-Release number of selected component (if applicable):
RHEL-9.1.0-20220817.6
openssl-3.0.1-41.el9_0.x86_64

How reproducible:
always

Steps to Reproduce:
1.install RHEL-9.1.0-20220817.6
2.ssh to our switch: # ssh redhat.88.10
# ssh redhat.88.10
Bad server host key: Invalid key length

Actual results:

Expected results:

Additional info:
No this issue when using below software versions:
5.14.0-143.el9.x86_64
openssl-3.0.1-40.el9_0.x86_64

This issue affect our testing, because we need to connect to our switches using ssh in our automatic cases.

Is there other workaround for this?

Comment 1 Dmitry Belyavskiy 2022-08-19 08:24:59 UTC

Is smth like 

==========
Host myveryoldhost
        PubkeyAcceptedKeyTypes=+ssh-rsa
        HostKeyAlgorithms=+ssh-rsa
        RSAMinSize 1024  
==========
in .ssh/config a solution?

What version of crypto-policies do you use?

Comment 2 LiLiang 2022-08-19 09:01:04 UTC

(In reply to Dmitry Belyavskiy from comment #1)
> Is smth like 
> 
> ==========
> Host myveryoldhost
>         PubkeyAcceptedKeyTypes=+ssh-rsa
>         HostKeyAlgorithms=+ssh-rsa
>         RSAMinSize 1024  
> ==========
> in .ssh/config a solution?
> 

# cat ~/.ssh/config 
Host *
KexAlgorithms +diffie-hellman-group1-sha1

> What version of crypto-policies do you use?

# rpm -q crypto-policies
crypto-policies-20220815-1.git0fbe86f.el9.noarch

Thank you!

Comment 3 Dmitry Belyavskiy 2022-08-19 09:05:38 UTC

So did you try my proposal? RSAMinSize is a new parameter limiting RSA key length.

Comment 4 LiLiang 2022-08-19 09:12:42 UTC

(In reply to Dmitry Belyavskiy from comment #3)
> So did you try my proposal? RSAMinSize is a new parameter limiting RSA key
> length.

This works for me. Thank you!

Host *
        PubkeyAcceptedKeyTypes=+ssh-rsa
        HostKeyAlgorithms=+ssh-rsa
        RSAMinSize 1024

Comment 5 Dmitry Belyavskiy 2022-08-19 09:17:04 UTC

I strongly suggest 
- specify exact host for this limitation
- See if it will work without PubkeyAcceptedKeyTypes and HostKeyAlgorithms

Comment 7 LiLiang 2022-08-19 09:31:08 UTC

(In reply to Dmitry Belyavskiy from comment #5)
> I strongly suggest 
> - specify exact host for this limitation
> - See if it will work without PubkeyAcceptedKeyTypes and HostKeyAlgorithms

This configuration also works.
Is there other simpler method to achieve this, e.g. a one line command?
I ask this because we need to config this in all our automatic jobs.

```
# cat ~/.ssh/config 
Host 10.73.88.7
        RSAMinSize 1024
Host 10.73.88.10
        RSAMinSize 1024
```

Comment 8 Dmitry Belyavskiy 2022-08-19 09:37:32 UTC

You can add -o RSAMinSize to your ssh command line or implement some crypto-policy subpolicy.

But again, 1024 bit RSA keys are definitely insecure nowadays and you should limit this configuration to the hosts that really need it - and probably upgrade those hosts to use ec-based keys and, at least, longer RSA keys.

Comment 10 LiLiang 2022-08-19 10:22:27 UTC

Dmitry,

Which software updating cause this problem? openssl or crypto-policies?

I need to know this, then I can check it's version in my code, and only update .ssh/config when needed.

Liang

Comment 11 Dmitry Belyavskiy 2022-08-19 10:34:17 UTC

The problem is on remote side using old unsafe key length. It's much better to fix the problem there. 
The limitation is established by crypto-policies.