Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
Jochen Bern
Jochen.Bern at binect.de
Mon Jun 30 22:59:43 AEST 2025
On 30.06.25 14:34, Brian Candler wrote:
> On 30/06/2025 13:14, Jochen Bern wrote:
>> What I've seen getting *specifically* refused is my local ssh-agent
>> signing with the older (and shorter, 4kb) RSA keypair, but that
>> doesn't seem to explain *all* the now-failing connections, either
>
> That's a 4096-bit RSA key pair? Can you show the error message?
>
> If it's not fixed by
>
> PubkeyAcceptedAlgorithms +ssh-rsa
> HostKeyAlgorithms +ssh-rsa
>
> then I don't know what the issue might be.
... it seems that I have to take that statement back, sorry. There was
(still is) a combo of error messages
> Authenticating with public key "..." from agent
> Pageant failed to provide a signature
when I run *puTTY* against the OpenSSH ssh-agent loaded with (only) the
old RSA key, but temporarily changing a still-working target host to
only accept that keypair and then logging in with the *same* ssh-agent
and "ssh" works fine ...
(And yes, puTTY can use the *newer* keypair straight out of OpenSSH's
agent ... weird ... the privkey's file format should be fully irrelevant
at that point, shouldn't it?)
> $ file .ssh/id_binect_*rsa
> .ssh/id_binect_newrsa: OpenSSH private key
> .ssh/id_binect_rsa: PEM RSA private key
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250630/b853d6da/attachment-0001.p7s>
More information about the openssh-unix-dev
mailing list