Hi, I am having an issue with ssh in Fedora 33.
I have access to several git server using ssh keys, like fedora.
The issue that I have in Fedora 33 (new install) that I do not have in Fedora 32 (that arrived here after successive upgrades) is that the access to git servers does not work in some cases. Interestingly this is not an issue to access to fedora.
In the cases where this fails like to access to bitbucket I get:
$ ssh -Tv git@bitbucket.org ... debug1: Host 'bitbucket.org' is known and matches the RSA host key. debug1: Found key in /home/jamatos/.ssh/known_hosts:26 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/jamatos/.ssh/id_fedora_rsa RSA SHA256:TKEhgKK2scYIBYa9i5h0HJz/R0sU/V95JNVhlfnS5NY explicit agent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/jamatos/.ssh/id_fedora_rsa RSA SHA256:TKEhgKK2scYIBYa9i5h0HJz/R0sU/V95JNVhlfnS5NY explicit agent debug1: send_pubkey_test: no mutual signature algorithm
as far as I can see in Fedora 32 the last line says that the server has accepted the key.
Is there any change in this regard? The openssh version seems to be the same from Fedora 32... :-(
Best regards,
On Friday, September 11, 2020 10:49:53 AM WEST José Abílio Matos wrote:
Hi,
I am having an issue with ssh in Fedora 33.
I have access to several git server using ssh keys, like fedora.
The issue that I have in Fedora 33 (new install) that I do not have in Fedora 32 (that arrived here after successive upgrades) is that the access to git servers does not work in some cases. Interestingly this is not an issue to access to fedora.
In the cases where this fails like to access to bitbucket I get:
Workaround is to add this line to the client configuration file (~/.ssh/ config): PubkeyAcceptedKeyTypes +rsa-sha2-256,rsa-sha2-512
At least it works now. :-)
On Fri, Sep 11, 2020 at 5:51 AM José Abílio Matos jamatos@fc.up.pt wrote:
I am having an issue with ssh in Fedora 33.
I have access to several git server using ssh keys, like fedora.
The issue that I have in Fedora 33 (new install) that I do not have in Fedora 32 (that arrived here after successive upgrades) is that the access to git servers does not work in some cases. Interestingly this is not an issue to access to fedora.
as far as I can see in Fedora 32 the last line says that the server has accepted the key. Is there any change in this regard? The openssh version seems to be the same from Fedora 32... :-(
Could it be this: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
Try running this and see if it fixes the issue: sudo update-crypto-policies --set LEGACY
If it does, the problem could be that your key is too short. You can check that with: ssh-keygen -lf ~/.ssh/id_fedora_rsa
The first field should be at least 2048.
On Friday, September 11, 2020 4:29:20 PM WEST Ben Cotton wrote:
Could it be this: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
Try running this and see if it fixes the issue: sudo update-crypto-policies --set LEGACY
If it does, the problem could be that your key is too short. You can check that with: ssh-keygen -lf ~/.ssh/id_fedora_rsa
The first field should be at least 2048.
$ ssh-keygen -lf ~/.ssh/id_fedora_rsa 4096 SHA256:...
The strange thing, at least to me was that it works for me when working with fedora packages, although I had in my ssh configuration the following snippet:
Host *fedorahosted.org *fedorapeople.org pkgs.fedoraproject.org User jamatos ProxyCommand none ForwardAgent no ForwardX11 no Port 22 KeepAlive yes HashKnownHosts no GSSAPIAuthentication no VerifyHostKeyDNS yes IdentityFile ~/.ssh/id_fedora_rsa
As far as I can see this should be unrelated but I honestly do not know.
As I said in the other message of this thread ([Solved]) adding the following line to ~/.ssh/config:
PubkeyAcceptedKeyTypes +rsa-sha2-256,rsa-sha2-512
solved the issue.