conflict in host signature checking
Harald Dunkel
harri at afaics.de
Tue Jun 16 03:17:59 AEST 2020
Hi folks,
AFAICS the recent ssh versions don't support the ssh-rsa signature
algorithm for host keys anymore:
check_host_cert: certificate signature algorithm ssh-rsa:
signature algorithm not supported
So I refreshed the host key signatures using
ssh-keygen -s ~/.ssh/ca_rsa -t rsa-sha2-256 \
-I hostname.example.com -h /tmp/ssh_host_rsa_key.pub
This went well for almost all hosts in my environment, except for an
ancient Solaris 10 host used to checkout and build some very old code
(just in case). The problem on this host is
% ssh -V
OpenSSH_6.2p1, OpenSSL 1.0.1r 28 Jan 2016
% ssh -F /dev/null git
ssh_rsa_verify: cannot handle type rsa-sha2-256
cert_parse: Certificate signature verification failed
key_from_blob: can't parse cert data
cannot decode server_host_key_blob
% echo $?
255
If I put the old signed key back into place on git, then Solaris is
happy, but all other hosts complain as shown above.
Using */bin/ssh -F /dev/null* (i.e. the ancient ssh provided with Solaris10)
there is no problem with an unsupported signature algorithm, so I wonder
if I missed some command line flag to skip the signature verification in
openssh 6.2, as /bin/ssh does? Of course I checked the man page. Please
excuse if I am too blind to see.
Every helpful comment is highly appreciated
Harri
More information about the openssh-unix-dev
mailing list