OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file

kevin martin ktmdms at gmail.com
Tue Sep 10 02:07:57 AEST 2024 

Lol!  Our Security team sent out new policies that dictated turning off
ssh-rsa, so *we did.  turns out our Security Team doesn't necessarily
follow their own dictates, so here we are.  Our Linux team says that the
correct way to turn off ssh-rsa is via the crypto policies, not via direct
manipulation of the /etc/ssh/ssh_config, and I guess that's probably the
absolute best way to do so, but then I have this situation to deal with.  I
like the idea of leaving crypto policies defaulted, updating the ssh_config
at the system level to disable ssh-rsa, and then overriding in my local
.ssh/config file.  probably the only way I'll get this to work and still
technically follow Security team rules.   Thanks for the information.

---


Regards,

Kevin Martin


On Mon, Sep 9, 2024 at 10:41 AM Jan Schermer <jan at schermer.cz> wrote:

> The crypto policies are system-wide to disallow any software (using system
> crypto) from using unsafe/weak/unwanted algorithm, which is exactly what
> you are trying to do.
>
> You’ll need to allow that system-wide by default, unfortunately. Luckily
> you can then disallow ssh-rsa in ssh-config by default and only enable it
> for a few hosts.
>
> The correct solution is to throw whatever requires it to the garbage and
> never buy from that vendor again.
>
> Jan
>
>
> > On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote:
> >
> > I'm using the most up to date version of openssh on OL8 that I can patch
> to
> > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of
> > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa.  I've
> > tried adding
> >
> > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> > or
> > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
> >
> > to my .ssh/config and still receive an error message of:
> >
> > agent key RSA-CERT SHA256:..... returned incorrect signature type
> > sign_and_send_pubkey: no mutual signature supported
> >
> > if I update-crpyto-policies to the DEFAULT policy, the connectivity works
> > correctly.  I'm a bit confused as to why openssh isn't using my personal
> > config settings to override the system wide settings or am I not setting
> > the necessary or is this by design?
> >
> > ---
> >
> >
> > Regards,
> >
> > Kevin Martin
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

More information about the openssh-unix-dev mailing list