Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

MCMANUS, MICHAEL P mm1072 at att.com
Wed Jul 2 01:56:01 AEST 2025


As I understand it, Pageant only accepts PuTTY's native format for private keys. There is a method in PuTTYgen to import an OpenSSH private key and export it in PuTTY format. Just select "Import key" from the Conversions menu, then save the imported key as though you just generated it. You should not need to save the public key as you already have the one generated by OpenSSH.

Mike McManus
Principal – Technology Security
GTO Security Governance Team - Unix
P: He/Him/His

AT&T Services, Inc.
20309 North Creek Pkwy, Bothell, WA 98011
michael.mcmanus at att.com

-----Original Message-----
From: openssh-unix-dev <openssh-unix-dev-bounces+mm1072=att.com at mindrot.org> On Behalf Of Jochen Bern
Sent: Monday, June 30, 2025 6:00 AM
To: Brian Candler <b.candler at pobox.com>
Cc: OpenSSH <openssh-unix-dev at mindrot.org>
Subject: Re: Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

On 30.06.25 14:34, Brian Candler wrote:
> On 30/06/2025 13:14, Jochen Bern wrote:
>> What I've seen getting *specifically* refused is my local ssh-agent
>> signing with the older (and shorter, 4kb) RSA keypair, but that
>> doesn't seem to explain *all* the now-failing connections, either
> 
> That's a 4096-bit RSA key pair? Can you show the error message?
> 
> If it's not fixed by
> 
>    PubkeyAcceptedAlgorithms +ssh-rsa
>    HostKeyAlgorithms +ssh-rsa
> 
> then I don't know what the issue might be.

... it seems that I have to take that statement back, sorry. There was 
(still is) a combo of error messages

> Authenticating with public key "..." from agent
> Pageant failed to provide a signature

when I run *puTTY* against the OpenSSH ssh-agent loaded with (only) the 
old RSA key, but temporarily changing a still-working target host to 
only accept that keypair and then logging in with the *same* ssh-agent 
and "ssh" works fine ...

(And yes, puTTY can use the *newer* keypair straight out of OpenSSH's 
agent ... weird ... the privkey's file format should be fully irrelevant 
at that point, shouldn't it?)

> $ file .ssh/id_binect_*rsa
> .ssh/id_binect_newrsa: OpenSSH private key
> .ssh/id_binect_rsa:    PEM RSA private key

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH


More information about the openssh-unix-dev mailing list