OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file

kevin martin ktmdms at gmail.com
Tue Sep 10 01:04:16 AEST 2024


I'm using the most up to date version of openssh on OL8 that I can patch to
(OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of
ssh-rsa, but apparently am connecting to a host that uses ssh-rsa.  I've
tried adding

HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
or
HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa

to my .ssh/config and still receive an error message of:

agent key RSA-CERT SHA256:..... returned incorrect signature type
sign_and_send_pubkey: no mutual signature supported

if I update-crpyto-policies to the DEFAULT policy, the connectivity works
correctly.  I'm a bit confused as to why openssh isn't using my personal
config settings to override the system wide settings or am I not setting
the necessary or is this by design?

---


Regards,

Kevin Martin


More information about the openssh-unix-dev mailing list