Description of problem: This was originally reported as different bug in libssh where libssh was not able to connect to some old openssh servers (6.7 without support for SHA2 RSA signatures). https://bugs.libssh.org/T277 The root cause (crytpo policies disabling SHA1) was promptly identified, but what was surprising was the openssh behavior, which automatically backed down to SHA1 RSA signatures even though the configuration explicitly not allows it. I think this is caused by the compat flags that are on for old openssh servers, which make sure we do not send them unknown signatures, but this is not fine from the policy point of view, where we claim SHA1 disabled, but it is not the case. Version-Release number of selected component (if applicable): current How reproducible: deterministic Steps to Reproduce: 0. Make sure the crypto policies is set to DEFAULT or higher (disabling SHA1) 1. Create rsa key 2. Copy the public key to old servers's (ex. 6.7) authorized_keys file 3. Try to connect using the key to the server Actual results: succeeds, ssh-rsa (SHA1 signature is used) Expected results: fail Additional info: The authentication using sha1 should not be attempted when the signature algorithm is not in the PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms. This is correctly enforced when the server is new and knows SHA2, but not in case of old servers with compat bits.
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle. Changing version to 35.
The changes fixing this issue on the OpenSSL level should land in F37 or F38. Closing.