1360973 – Support of HostKeyAlgorithms for sshd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1360973 - Support of HostKeyAlgorithms for sshd

Summary: Support of HostKeyAlgorithms for sshd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	Stefan Dordevic
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:	1341754
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-28 05:49 UTC by Frank Büttner
Modified:	2017-08-01 18:42 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openssh-7.4p1-1.el7
Doc Type:	Enhancement
Doc Text:	Feature: The option HostKeyAlgorithms enables to select preferred host key types when connecting to remote servers. Reason: Some of the key types (DSA) are not considered secure enough and there was no possibility to disable them in runtime. Result: The feature allows to remove possibly insecure key types in runtime and prevent possible security issues.
Clone Of:
Environment:
Last Closed:	2017-08-01 18:42:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:2029	0	normal	SHIPPED_LIVE	Moderate: openssh security, bug fix, and enhancement update	2017-08-01 18:11:55 UTC

Description Frank Büttner 2016-07-28 05:49:15 UTC

Description of problem:
Under openssh 6.6 it it not possible to set the server host key algorithms.

Version-Release number of selected component (if applicable):
openssh-server-6.6.1p1-25.el7_2.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. add HostKeyAlgorithms to the sshd config file
2. restart sshd

Actual results:
/etc/ssh/sshd_config: line 157: Bad configuration option: HostKeyAlgorithms


Expected results:
That this is known

Additional info:
The option was introduced with OpenSSH 7.0.
See: http://www.openssh.com/txt/release-7.0

Comment 1 Jakub Jelen 2016-07-28 07:44:24 UTC

Hello Frank,

Thank you for taking the time to enter a bug report with us. We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to  guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain  it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:
https://access.redhat.com/support/

Comment 3 Jakub Jelen 2016-09-06 09:59:43 UTC

This can be resolved by rebase to upstream openssh, or by backporting several patches:

https://github.com/openssh/openssh-portable/commit/3a1638d (change)
https://github.com/openssh/openssh-portable/commit/6310f60 (fixes)
https://github.com/openssh/openssh-portable/commit/60a9247 (fixes)
https://github.com/openssh/openssh-portable/commit/5bf0933 (test cases modifications)

This change is also deprecating DSA keys from the server and client side, which we should not break, unless we have a good reason to and it is well documented (in either case).

Comment 7 Jakub Jelen 2017-05-26 09:47:47 UTC

This is expected behavior as described in upstream mailing list thread:

http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-April/035927.html

In short, the extension is still a draft and there is no reasonable way to "overwrite" the standard ssh-rsa with this extension.

At some point, we will certainly want to address this issue and do not use SHA1 altogether, but so far there is no way how to do that (mainly because the SHA2 hashes are extensions to the standard ssh-rsa).

Comment 9 errata-xmlrpc 2017-08-01 18:42:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2029

Note You need to log in before you can comment on or make changes to this bug.