On Sun, 20 Sep 2020 at 16:03, Pavel Raiskup <prais...@redhat.com> wrote:

> On Sunday, September 20, 2020 8:52:21 PM CEST Kevin Fenzi wrote:
> > On Sun, Sep 20, 2020 at 07:11:29PM +0200, Pavel Raiskup wrote:
> > > After upgrade of one of my servers to F33, I noticed that I can not
> ssh to
> > > one of my other servers running Debian 9 system (relatively freshly
> EOLed,
> > > I need to do something about it).  On F33 I always need to:
> > >
> > >      $ ssh -oPubkeyAcceptedKeyTypes=+ssh-rsa user@debian-9-host
> > >
> > > The changes in Fedora packages led me to:
> > >
> > >
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e1
> > >
> > > Which led me to:
> > >
> > >     https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
> > >
> > > I'm curious about the effects of the change.  It claims that RSA 2048
> >= should
> > > stay accepted by DEFAULT, and from what I can tell the host server key
> seems to
> > > be RSA 2048 (at least that's what is generated by default on Debian 9):
> > >
> > >     $ ssh-keygen -l -f ssh_host_rsa_key.pub
> > >     2048 SHA256:<...> root@debian-9-host (RSA)
> > >
> > > Can anyone translate to me if this is really expected or a bug?
> Effect is that
> > > Fedora 33 clients can not ssh to Debian 9 hosts by default (I'm not
> sure about
> > > the supported Debian 10, and the key quality there).
> >
> > I thought this was actually due to openssh dropping support for
> > 'ssh-rsa':
> >
> > https://www.openssh.com/txt/release-8.3
> >
> > (ie, the sha-1 ssh-rsa)
>
> Well, I did:
>
>     $ cd /etc/ssh
>     $ rm ssh_host*
>     $ ssh-keygen -N "" -t rsa-sha2-512 -b 4096 -f /etc/ssh/ssh_host_rsa_key
>     $ dpkg-reconfigure openssh-server
>     ... generates the remaining ECDSA and ED25519 ...
>
>
I would just double check that is the file being used for host keys and not
something been altered on the hosts /etc/ssh/sshd_config [I banged my head
on this recently so it is an off chance it might be the case.]


> New host signature detected, but I still get on F33 when trying to ssh:
>
>     $ ssh -vv ...
>     debug1: Offering public key: /home/praiskup/.ssh/id_rsa RSA SHA256:...
>     debug1: send_pubkey_test: no mutual signature algorithm
>     ...
>
> And still -oPubkeyAcceptedKeyTypes=+ssh-rsa helps...  Does that meant that
> the
> ssh-keygen on Debian 9 is broken?  How am I able to tell this is server or
> client problem?
>
> Pavel
>

sshd -d -p 2222 on the server and then see what it is saying it is doing.

look for

debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null>

or some similar item. also look to see what

grep KexAlgorithms /etc/ssh/sshd_config says

if it has a default of ssh-rsa in its list and none of the rsa-sha2 items..
the server will try this anyway.


-- 
Stephen J Smoogen.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to