Hi.
On Sat, 11 Jun 2022 15:48:56 -0400 Jeffrey Ross via users wrote:
/usr/share/crypto-policies/DEFAULT/opensshserver.txt and add ^ssh-rsa at the beginning of the PubkeyAcceptedAlgorithms list will allow users to login again, however anytime there is an update to the crypto stuff on the system my change gets wiped out.
So my questions are
- which file should I be updating so my changes aren't removed all the time
Since /etc/ssh/sshd_config finally allow, since Fedora 35, to include .conf files under /etc/ssh/sshd_config.d/, I have chosen for that problem to make a:
/etc/ssh/sshd_config.d/20-X.conf
that gets loaded before
/etc/ssh/sshd_config.d/50-redhat.conf
that include itself: /etc/crypto-policies/back-ends/opensshserver.config
In 20-X.conf:
PubkeyAcceptedAlgorithms +ssh-rsa
You may need also:
# From /etc/crypto-policies/back-ends/opensshserver.config # then add ,ssh-rsa # No +PARAM allowed for HostKeyAlgorithms (seems) HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa
- is adding ^ssh-rsa the best change or is there a better or more
proper one? (I can't get rid of putty, but would like to take the least evil fix)
IMO the only better thing to do is to ask every user to not use any more ssh-rsa keys :-(