mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ian Wienand (Jira)" <j...@apache.org>
Subject [jira] [Commented] (SSHD-1118) Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes
Date Thu, 14 Jan 2021 21:27:00 GMT

    [ https://issues.apache.org/jira/browse/SSHD-1118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17265319#comment-17265319
] 

Ian Wienand commented on SSHD-1118:
-----------------------------------

{quote}which begs the question why insist on an RSA signature{quote}

I guess we don't insist on it, but it means users have to regenerate their keys that were
working.  Which means having to communicate to them the issue and get them to understand how
to make and deploy them.  So it's of course better if we can find anything to keep existing
keys working :)

> Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes
> --------------------------------------------------------------------------------------
>
>                 Key: SSHD-1118
>                 URL: https://issues.apache.org/jira/browse/SSHD-1118
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.4.0
>            Reporter: Ian Wienand
>            Priority: Major
>
> This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a recent
upgrade.  Some users using Fedora 33 started being not able to log in.
> It turns out that Fedora >=33 has dropped rsa-ssh from it's default {{PubkeyAcceptedKeyTypes}}
in {{/etc/crypto-policies/back-ends/openssh.config}}.  You either have to modify your policy
globally to "legacy" with "update-crypto-policies" or manually set {{PubkeyAcceptedKeyTypes=ssh-rsa}}
for failing servers.
> I understand that {{server-sig-algs}} support isn't fully implemented in mina sshd as
yet, so the client will not be seeing the negotiation list.
> However, it seems rsa-sha2-256/512 are supported?  It seems like forcing this with {{ssh
-oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does not (see related gerrit bug)?
> I can provide ssh connect logs, etc. if it will help; at this point I think it's mostly
about understanding Fedora's change and any mina limitations so we can find the best solution
for users.  Although Fedora 33 users are obviously a small minority now, it probably flags
something other distros will take up sooner or later.
>  
> Thanks!
>  
>  [1] [https://bugs.chromium.org/p/gerrit/issues/detail?id=13930]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org


Mime
View raw message