2119694 – openssl-3.0.1-41.el9_0 does not allow ssh-rsa host keys for ssh

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2119694 - openssl-3.0.1-41.el9_0 does not allow ssh-rsa host keys for ssh

Summary: openssl-3.0.1-41.el9_0 does not allow ssh-rsa host keys for ssh

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Dmitry Belyavskiy
QA Contact:	BaseOS QE Security Team
Docs Contact:	Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:	2091421
TreeView+	depends on / blocked

Reported:	2022-08-19 08:01 UTC by LiLiang
Modified:	2022-09-12 14:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	.Minimal RSA key bit length option in OpenSSH Accidentally using short RSA keys might make the system more vulnerable to attacks. With this update, you can set RSA key minimal bit lengths for OpenSSH servers and clients. To define the minimal RSA key length, use the new `RSAMinSize` option in the `/etc/ssh/sshd_config` file for OpenSSH servers, and in the `/etc/ssh/ssh_config` file for OpenSSH clients.
Clone Of:
Environment:
Last Closed:	2022-09-08 12:55:18 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CRYPTO-8132	None	None	None	2022-08-19 09:27:03 UTC
Red Hat Issue Tracker	RHELPLAN-131517	None	None	None	2022-08-19 08:03:54 UTC
Red Hat Knowledge Base (Solution)	6973518	None	None	None	2022-08-29 13:02:04 UTC

Description LiLiang 2022-08-19 08:01:42 UTC

Description of problem:
Using recent distro(RHEL-9.1.0-20220817.6), ssh to our switches always fail with below error:
# ssh redhat.88.10
Unable to negotiate with 10.73.88.10 port 22: no matching host key type found. Their offer: ssh-rsa

#update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

# ssh redhat.88.10
Bad server host key: Invalid key length

Using distro RHEL-9.1.0-20220810.1, this issue doesn't happen.
# ssh redhat.88.10
Unable to negotiate with 10.73.88.10 port 22: no matching host key type found. Their offer: ssh-rsa

# update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

# ssh redhat.88.10
The authenticity of host '10.73.88.10 (10.73.88.10)' can't be established.
RSA key fingerprint is SHA256:+34HF3P+jlb6h3PwhTWxO+2xKrcAK4mb93n51SeKuqQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

"update-crypto-policies --set LEGACY" is a workaround suggested by https://bugzilla.redhat.com/show_bug.cgi?id=2060232#c9, but it doesn't work with recent distro(RHEL-9.1.0-20220817.6).

Version-Release number of selected component (if applicable):
RHEL-9.1.0-20220817.6
openssl-3.0.1-41.el9_0.x86_64

How reproducible:
always

Steps to Reproduce:
1.install RHEL-9.1.0-20220817.6
2.ssh to our switch: # ssh redhat.88.10
# ssh redhat.88.10
Bad server host key: Invalid key length

Actual results:

Expected results:

Additional info:
No this issue when using below software versions:
5.14.0-143.el9.x86_64
openssl-3.0.1-40.el9_0.x86_64

This issue affect our testing, because we need to connect to our switches using ssh in our automatic cases.

Is there other workaround for this?

Comment 1 Dmitry Belyavskiy 2022-08-19 08:24:59 UTC

Is smth like 

==========
Host myveryoldhost
        PubkeyAcceptedKeyTypes=+ssh-rsa
        HostKeyAlgorithms=+ssh-rsa
        RSAMinSize 1024  
==========
in .ssh/config a solution?

What version of crypto-policies do you use?

Comment 2 LiLiang 2022-08-19 09:01:04 UTC

(In reply to Dmitry Belyavskiy from comment #1)
> Is smth like 
> 
> ==========
> Host myveryoldhost
>         PubkeyAcceptedKeyTypes=+ssh-rsa
>         HostKeyAlgorithms=+ssh-rsa
>         RSAMinSize 1024  
> ==========
> in .ssh/config a solution?
> 

# cat ~/.ssh/config 
Host *
KexAlgorithms +diffie-hellman-group1-sha1

> What version of crypto-policies do you use?

# rpm -q crypto-policies
crypto-policies-20220815-1.git0fbe86f.el9.noarch

Thank you!

Comment 3 Dmitry Belyavskiy 2022-08-19 09:05:38 UTC

So did you try my proposal? RSAMinSize is a new parameter limiting RSA key length.

Comment 4 LiLiang 2022-08-19 09:12:42 UTC

(In reply to Dmitry Belyavskiy from comment #3)
> So did you try my proposal? RSAMinSize is a new parameter limiting RSA key
> length.

This works for me. Thank you!

Host *
        PubkeyAcceptedKeyTypes=+ssh-rsa
        HostKeyAlgorithms=+ssh-rsa
        RSAMinSize 1024

Comment 5 Dmitry Belyavskiy 2022-08-19 09:17:04 UTC

I strongly suggest 
- specify exact host for this limitation
- See if it will work without PubkeyAcceptedKeyTypes and HostKeyAlgorithms

Comment 7 LiLiang 2022-08-19 09:31:08 UTC

(In reply to Dmitry Belyavskiy from comment #5)
> I strongly suggest 
> - specify exact host for this limitation
> - See if it will work without PubkeyAcceptedKeyTypes and HostKeyAlgorithms

This configuration also works.
Is there other simpler method to achieve this, e.g. a one line command?
I ask this because we need to config this in all our automatic jobs.

```
# cat ~/.ssh/config 
Host 10.73.88.7
        RSAMinSize 1024
Host 10.73.88.10
        RSAMinSize 1024
```

Comment 8 Dmitry Belyavskiy 2022-08-19 09:37:32 UTC

You can add -o RSAMinSize to your ssh command line or implement some crypto-policy subpolicy.

But again, 1024 bit RSA keys are definitely insecure nowadays and you should limit this configuration to the hosts that really need it - and probably upgrade those hosts to use ec-based keys and, at least, longer RSA keys.

Comment 10 LiLiang 2022-08-19 10:22:27 UTC

Dmitry,

Which software updating cause this problem? openssl or crypto-policies?

I need to know this, then I can check it's version in my code, and only update .ssh/config when needed.

Liang

Comment 11 Dmitry Belyavskiy 2022-08-19 10:34:17 UTC

The problem is on remote side using old unsafe key length. It's much better to fix the problem there. 
The limitation is established by crypto-policies.

Note You need to log in before you can comment on or make changes to this bug.