OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file

Jan Schermer jan at schermer.cz
Tue Sep 10 01:41:42 AEST 2024


The crypto policies are system-wide to disallow any software (using system crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are trying to do.

You’ll need to allow that system-wide by default, unfortunately. Luckily you can then disallow ssh-rsa in ssh-config by default and only enable it for a few hosts.

The correct solution is to throw whatever requires it to the garbage and never buy from that vendor again.

Jan


> On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote:
> 
> I'm using the most up to date version of openssh on OL8 that I can patch to
> (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of
> ssh-rsa, but apparently am connecting to a host that uses ssh-rsa.  I've
> tried adding
> 
> HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> or
> HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> 
> to my .ssh/config and still receive an error message of:
> 
> agent key RSA-CERT SHA256:..... returned incorrect signature type
> sign_and_send_pubkey: no mutual signature supported
> 
> if I update-crpyto-policies to the DEFAULT policy, the connectivity works
> correctly.  I'm a bit confused as to why openssh isn't using my personal
> config settings to override the system wide settings or am I not setting
> the necessary or is this by design?
> 
> ---
> 
> 
> Regards,
> 
> Kevin Martin
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list