mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ian Wienand (Jira)" <j...@apache.org>
Subject [jira] [Created] (SSHD-1118) Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes
Date Tue, 12 Jan 2021 22:53:00 GMT
Ian Wienand created SSHD-1118:

             Summary: Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes
                 Key: SSHD-1118
                 URL: https://issues.apache.org/jira/browse/SSHD-1118
             Project: MINA SSHD
          Issue Type: Bug
    Affects Versions: 2.4.0
            Reporter: Ian Wienand

This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a recent upgrade. 
Some users using Fedora 33 started being not able to log in.


It turns out that Fedora >=33 has dropped rsa-ssh from it's default PubkeyAcceptedKeyTypes
in /etc/crypto-policies/back-ends/openssh.config.  You either have to modify your policy
globally to "legacy" with "update-crypto-policies" or manually set PubkeyAcceptedKeyTypes=ssh-rsa
for failing servers.


I understand that server-sig-algs support isn't fully implemented in mina sshd as yet, so
the client will not be seeing the negotiation list.--


However, it seems rsa-sha2-256/512 are supported?  It seems like forcing this with {{ssh
oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does not (see related gerrit bug)?


I can provide ssh connect logs, etc. if it will help; at this point I think it's mostly about
understanding Fedora's change and any mina limitations so we can find the best solution for
users.  Although Fedora 33 users are obviously a small minority now, it probably flags something
other distros will take up sooner or later.




 [1] https://bugs.chromium.org/p/gerrit/issues/detail?id=13930

This message was sent by Atlassian Jira

To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org

View raw message