Bug 2127765
| Summary: | HostKeyAlgorithms options seems to be ignored when connecting to old ssh server | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | H.Janssen <hmmsjan> |
| Component: | openssh | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | crypto-team, dbelyavs, dwalsh, jjelen, lkundrak, mattias.ellert, ssorce, tm |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-09-19 12:52:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
H.Janssen
2022-09-18 21:51:32 UTC
The problem has more moving parts then it looks at the first site. First, it's ssh-rsa, which is deprecated because of using SHA1. Normal workaround is to enable crypto-policy DEFAULT:SHA1. Second is key bits, managed by RSAMinSize. Could you please decrease RSAMinSize as you did and try the DEFAULT:SHA1 crypto-policy? I agree that there is a problem with diagnostics. Thanks. In mean time I found out that apparently the patch seems to forbid overruling cryptopolicies with HostKeyAlgorithms, and I tried a module containing sign@openssh-client = RSA-SHA1+ DSA-SHA1+ min_rsa_size@openssh-client=1024 Result: [root@lap2 hj]# update-crypto-policies --set DEFAULT Setting system policy to DEFAULT Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. [root@lap2 hj]# ssh -oHostKeyAlgorithms=+ssh-rsa hj.1.127 Unable to negotiate with 192.168.1.127 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss [root@lap2 hj]# update-crypto-policies --set DEFAULT:OLDSSH Setting system policy to DEFAULT:OLDSSH Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. [root@lap2 hj]# ssh -oHostKeyAlgorithms=+ssh-rsa hj.1.127 -bash-3.2$ sshd -v sshd: illegal option -- v OpenSSH_5.9p1, OpenSSL 0.9.7m 23 Feb 2007 This moves the problem more to a proper error message/documentation/readthedocs problem.... Thanks! Forgot to mention: DEFAULT:SHA1: [root@lap2 hj]# ssh -oHostKeyAlgorithms=+ssh-rsa hj.1.127 Bad server host key: Invalid key length Works after manually changing the keylength in the backend, but I think that's not desired. May be min_rsa_size@openssh can be added to the SHA1 module? No, it shouldn't. We don't allow such short RSA keys even in LEGACY policy. So I think we could close the issue if you don't mind 1K keys should never be used today, closing as we will not make this change. Agree to close. The key length can be simply solved on the server, if there is access to, by regenerating the keys with acceptable size. Persisting problems: "ssh -Q HostKeyAlgorithms" shows ssh-rsa and ssh-dss as available, and "ssh -oHostKeyAlgorithms=+ssh-rsa" shows no clear error message. |