OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file

kevin martin ktmdms at gmail.com
Tue Sep 10 02:18:11 AEST 2024


well nuts.  that, in fact, doesn't work.  it appears that, based on an
strace, the order of reading for policies is personal .ssh/config,
/etc/ssh/ssh_config (and conf.d files), then crypto policies, with the more
restrictive policy being used.


---


Regards,

Kevin Martin


On Mon, Sep 9, 2024 at 11:07 AM kevin martin <ktmdms at gmail.com> wrote:

> Lol!  Our Security team sent out new policies that dictated turning off
> ssh-rsa, so *we did.  turns out our Security Team doesn't necessarily
> follow their own dictates, so here we are.  Our Linux team says that the
> correct way to turn off ssh-rsa is via the crypto policies, not via direct
> manipulation of the /etc/ssh/ssh_config, and I guess that's probably the
> absolute best way to do so, but then I have this situation to deal with.  I
> like the idea of leaving crypto policies defaulted, updating the ssh_config
> at the system level to disable ssh-rsa, and then overriding in my local
> .ssh/config file.  probably the only way I'll get this to work and still
> technically follow Security team rules.   Thanks for the information.
>
> ---
>
>
> Regards,
>
> Kevin Martin
>
>
> On Mon, Sep 9, 2024 at 10:41 AM Jan Schermer <jan at schermer.cz> wrote:
>
>> The crypto policies are system-wide to disallow any software (using
>> system crypto) from using unsafe/weak/unwanted algorithm, which is exactly
>> what you are trying to do.
>>
>> You’ll need to allow that system-wide by default, unfortunately. Luckily
>> you can then disallow ssh-rsa in ssh-config by default and only enable it
>> for a few hosts.
>>
>> The correct solution is to throw whatever requires it to the garbage and
>> never buy from that vendor again.
>>
>> Jan
>>
>>
>> > On 9. 9. 2024, at 17:04, kevin martin <ktmdms at gmail.com> wrote:
>> >
>> > I'm using the most up to date version of openssh on OL8 that I can
>> patch to
>> > (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of
>> > ssh-rsa, but apparently am connecting to a host that uses ssh-rsa.  I've
>> > tried adding
>> >
>> > HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
>> > PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com
>> > or
>> > HostkeyAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
>> > PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01 at openssh.com,ssh-rsa
>> >
>> > to my .ssh/config and still receive an error message of:
>> >
>> > agent key RSA-CERT SHA256:..... returned incorrect signature type
>> > sign_and_send_pubkey: no mutual signature supported
>> >
>> > if I update-crpyto-policies to the DEFAULT policy, the connectivity
>> works
>> > correctly.  I'm a bit confused as to why openssh isn't using my personal
>> > config settings to override the system wide settings or am I not setting
>> > the necessary or is this by design?
>> >
>> > ---
>> >
>> >
>> > Regards,
>> >
>> > Kevin Martin
>> > _______________________________________________
>> > openssh-unix-dev mailing list
>> > openssh-unix-dev at mindrot.org
>> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>


More information about the openssh-unix-dev mailing list