mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ian Wienand (Jira)" <j...@apache.org>
Subject [jira] [Updated] (SSHD-1118) Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes
Date Tue, 12 Jan 2021 22:55:00 GMT

     [ https://issues.apache.org/jira/browse/SSHD-1118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ian Wienand updated SSHD-1118:
------------------------------
    Description: 
This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a recent upgrade. 
Some users using Fedora 33 started being not able to log in.

It turns out that Fedora >=33 has dropped rsa-ssh from it's default {{PubkeyAcceptedKeyTypes}}
in {{/etc/crypto-policies/back-ends/openssh.config}}.  You either have to modify your policy
globally to "legacy" with "update-crypto-policies" or manually set {{PubkeyAcceptedKeyTypes=ssh-rsa}}
for failing servers.

I understand that {{server-sig-algs}} support isn't fully implemented in mina sshd as yet,
so the client will not be seeing the negotiation list.

However, it seems rsa-sha2-256/512 are supported?  It seems like forcing this with {{ssh
-oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does not (see related gerrit bug)?

I can provide ssh connect logs, etc. if it will help; at this point I think it's mostly about
understanding Fedora's change and any mina limitations so we can find the best solution for
users.  Although Fedora 33 users are obviously a small minority now, it probably flags something
other distros will take up sooner or later.

 

Thanks!

 

 [1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]

  was:
This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a recent upgrade. 
Some users using Fedora 33 started being not able to log in.

It turns out that Fedora >=33 has dropped rsa-ssh from it's default PubkeyAcceptedKeyTypes
in /etc/crypto-policies/back-ends/openssh.config.  You either have to modify your policy
globally to "legacy" with "update-crypto-policies" or manually set PubkeyAcceptedKeyTypes=ssh-rsa
for failing servers.

I understand that server-sig-algs support isn't fully implemented in mina sshd as yet, so
the client will not be seeing the negotiation list.

However, it seems rsa-sha2-256/512 are supported?  It seems like forcing this with {{ssh
oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does not (see related gerrit bug)?

I can provide ssh connect logs, etc. if it will help; at this point I think it's mostly about
understanding Fedora's change and any mina limitations so we can find the best solution for
users.  Although Fedora 33 users are obviously a small minority now, it probably flags something
other distros will take up sooner or later.

 

Thanks!

 

 [1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]


> Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes
> --------------------------------------------------------------------------------------
>
>                 Key: SSHD-1118
>                 URL: https://issues.apache.org/jira/browse/SSHD-1118
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.4.0
>            Reporter: Ian Wienand
>            Priority: Major
>
> This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a recent
upgrade.  Some users using Fedora 33 started being not able to log in.
> It turns out that Fedora >=33 has dropped rsa-ssh from it's default {{PubkeyAcceptedKeyTypes}}
in {{/etc/crypto-policies/back-ends/openssh.config}}.  You either have to modify your policy
globally to "legacy" with "update-crypto-policies" or manually set {{PubkeyAcceptedKeyTypes=ssh-rsa}}
for failing servers.
> I understand that {{server-sig-algs}} support isn't fully implemented in mina sshd as
yet, so the client will not be seeing the negotiation list.
> However, it seems rsa-sha2-256/512 are supported?  It seems like forcing this with {{ssh
-oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does not (see related gerrit bug)?
> I can provide ssh connect logs, etc. if it will help; at this point I think it's mostly
about understanding Fedora's change and any mina limitations so we can find the best solution
for users.  Although Fedora 33 users are obviously a small minority now, it probably flags
something other distros will take up sooner or later.
>  
> Thanks!
>  
>  [1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org


Mime
View raw message