You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Ian Wienand (Jira)" <ji...@apache.org> on 2021/01/12 22:53:00 UTC
[jira] [Created] (SSHD-1118) Unable to connect with Fedora 33 which
has dropped ssh-rsa from PubkeyAcceptedKeyTypes
Ian Wienand created SSHD-1118:
---------------------------------
Summary: Unable to connect with Fedora 33 which has dropped ssh-rsa from PubkeyAcceptedKeyTypes
Key: SSHD-1118
URL: https://issues.apache.org/jira/browse/SSHD-1118
Project: MINA SSHD
Issue Type: Bug
Affects Versions: 2.4.0
Reporter: Ian Wienand
This problem was noted with Gerrit using a 2.4.0 mina sshd server [1] after a recent upgrade. Some users using Fedora 33 started being not able to log in.
It turns out that Fedora >=33 has dropped rsa-ssh from it's default PubkeyAcceptedKeyTypes in /etc/crypto-policies/back-ends/openssh.config. You either have to modify your policy globally to "legacy" with "update-crypto-policies" or manually set PubkeyAcceptedKeyTypes=ssh-rsa for failing servers.
I understand that server-sig-algs support isn't fully implemented in mina sshd as yet, so the client will not be seeing the negotiation list.--
However, it seems rsa-sha2-256/512 are supported? It seems like forcing this with {{ssh oPubkeyAcceptedKeyTypes=rsa-sha2-512}} should work, but it does not (see related gerrit bug)?
I can provide ssh connect logs, etc. if it will help; at this point I think it's mostly about understanding Fedora's change and any mina limitations so we can find the best solution for users. Although Fedora 33 users are obviously a small minority now, it probably flags something other distros will take up sooner or later.
Thanks!
[1] https://bugs.chromium.org/p/gerrit/issues/detail?id=13930
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org