[Bug 3213] openssh 8.3p1 will not use any type of RSA key for legacy servers if ssh-rsa is not in PubkeyAcceptedKeyTypes

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Sep 24 00:19:52 AEST 2021


Joey Berkovitz <joeyberkovitz at gmail.com> changed:

           What    |Removed                     |Added
                 CC|                            |joeyberkovitz at gmail.com

--- Comment #12 from Joey Berkovitz <joeyberkovitz at gmail.com> ---
It seems that this fix doesn't entirely resolve the issue. I tested on
Fedora 34 with OpenSSH 8.7p1 and I get an error when using an OpenSSH
certificate to connect to a CentOS 7 server running OpenSSH 7.4p1. The
error message is as follows: `send_pubkey_test: no mutual signature

Adding `PubkeyAcceptedKeyTypes +ssh-rsa` allows the connection to go
through, but I don't think that it should be necessary.

For reference, the cert is of type `ssh-rsa-cert-v01 at openssh.com`. The
public key on the cert is `RSA-CERT SHA256` and the Signing CA uses

Please let me know if this can be fixed with a similar compat code

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list