I keep running into an issue with PuTTy users logging into the system (Fedora 35), I found that if I edit:
/usr/share/crypto-policies/DEFAULT/opensshserver.txt and add ^ssh-rsa at the beginning of the PubkeyAcceptedAlgorithms list will allow users to login again, however anytime there is an update to the crypto stuff on the system my change gets wiped out.
So my questions are 1) which file should I be updating so my changes aren't removed all the time 2) is adding ^ssh-rsa the best change or is there a better or more proper one? (I can't get rid of putty, but would like to take the least evil fix)
Thanks, Jeff
On Sat, 2022-06-11 at 15:48 -0400, Jeffrey Ross via users wrote:
I keep running into an issue with PuTTy users logging into the system (Fedora 35), I found that if I edit:
/usr/share/crypto-policies/DEFAULT/opensshserver.txt and add ^ssh-rsa at the beginning of the PubkeyAcceptedAlgorithms list will allow users to login again, however anytime there is an update to the crypto stuff on the system my change gets wiped out.
So my questions are
- which file should I be updating so my changes aren't removed all
the time 2) is adding ^ssh-rsa the best change or is there a better or more proper one? (I can't get rid of putty, but would like to take the least evil fix)
There should be an /etc file that you can customise. Files outside of there (like inside /usr) will be managed by package installations themselves, as you've found out.
If there isn't an /etc file, it's probably looking for one and using a default /usr... one when it doesn't succeed.
Hi.
On Sat, 11 Jun 2022 15:48:56 -0400 Jeffrey Ross via users wrote:
/usr/share/crypto-policies/DEFAULT/opensshserver.txt and add ^ssh-rsa at the beginning of the PubkeyAcceptedAlgorithms list will allow users to login again, however anytime there is an update to the crypto stuff on the system my change gets wiped out.
So my questions are
- which file should I be updating so my changes aren't removed all the time
Since /etc/ssh/sshd_config finally allow, since Fedora 35, to include .conf files under /etc/ssh/sshd_config.d/, I have chosen for that problem to make a:
/etc/ssh/sshd_config.d/20-X.conf
that gets loaded before
/etc/ssh/sshd_config.d/50-redhat.conf
that include itself: /etc/crypto-policies/back-ends/opensshserver.config
In 20-X.conf:
PubkeyAcceptedAlgorithms +ssh-rsa
You may need also:
# From /etc/crypto-policies/back-ends/opensshserver.config # then add ,ssh-rsa # No +PARAM allowed for HostKeyAlgorithms (seems) HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa
- is adding ^ssh-rsa the best change or is there a better or more
proper one? (I can't get rid of putty, but would like to take the least evil fix)
IMO the only better thing to do is to ask every user to not use any more ssh-rsa keys :-(
-
Francis.Montagnac@inria.fr -
Jeffrey Ross -
Tim