Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

Jochen Bern Jochen.Bern at binect.de
Mon Jun 30 22:59:43 AEST 2025


On 30.06.25 14:34, Brian Candler wrote:
> On 30/06/2025 13:14, Jochen Bern wrote:
>> What I've seen getting *specifically* refused is my local ssh-agent
>> signing with the older (and shorter, 4kb) RSA keypair, but that
>> doesn't seem to explain *all* the now-failing connections, either
> 
> That's a 4096-bit RSA key pair? Can you show the error message?
> 
> If it's not fixed by
> 
>    PubkeyAcceptedAlgorithms +ssh-rsa
>    HostKeyAlgorithms +ssh-rsa
> 
> then I don't know what the issue might be.

... it seems that I have to take that statement back, sorry. There was 
(still is) a combo of error messages

> Authenticating with public key "..." from agent
> Pageant failed to provide a signature

when I run *puTTY* against the OpenSSH ssh-agent loaded with (only) the 
old RSA key, but temporarily changing a still-working target host to 
only accept that keypair and then logging in with the *same* ssh-agent 
and "ssh" works fine ...

(And yes, puTTY can use the *newer* keypair straight out of OpenSSH's 
agent ... weird ... the privkey's file format should be fully irrelevant 
at that point, shouldn't it?)

> $ file .ssh/id_binect_*rsa
> .ssh/id_binect_newrsa: OpenSSH private key
> .ssh/id_binect_rsa:    PEM RSA private key

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250630/b853d6da/attachment-0001.p7s>


More information about the openssh-unix-dev mailing list