Hi.
On Sat, 11 Jun 2022 15:48:56 -0400 Jeffrey Ross via users wrote:
/usr/share/crypto-policies/DEFAULT/opensshserver.txt and add ^ssh-rsa
at
the beginning of the PubkeyAcceptedAlgorithms list will allow users to
login again, however anytime there is an update to the crypto stuff on
the system my change gets wiped out.
So my questions are
1) which file should I be updating so my changes aren't removed all the time
Since /etc/ssh/sshd_config finally allow, since Fedora 35, to include
.conf files under /etc/ssh/sshd_config.d/, I have chosen for that problem to
make a:
/etc/ssh/sshd_config.d/20-X.conf
that gets loaded before
/etc/ssh/sshd_config.d/50-redhat.conf
that include itself: /etc/crypto-policies/back-ends/opensshserver.config
In 20-X.conf:
PubkeyAcceptedAlgorithms +ssh-rsa
You may need also:
# From /etc/crypto-policies/back-ends/opensshserver.config
# then add ,ssh-rsa
# No +PARAM allowed for HostKeyAlgorithms (seems)
HostKeyAlgorithms
ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01(a)openssh.com,ssh-rsa
2) is adding ^ssh-rsa the best change or is there a better or more
proper one? (I can't get rid of putty, but would like to take the least
evil fix)
IMO the only better thing to do is to ask every user to not use any more
ssh-rsa keys :-(
--
francis