On Sun, 20 Sep 2020 at 13:12, Pavel Raiskup <prais...@redhat.com> wrote:
> After upgrade of one of my servers to F33, I noticed that I can not ssh to > one of my other servers running Debian 9 system (relatively freshly EOLed, > I need to do something about it). On F33 I always need to: > > $ ssh -oPubkeyAcceptedKeyTypes=+ssh-rsa user@debian-9-host > > The changes in Fedora packages led me to: > > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e1 > > Which led me to: > > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 > > I'm curious about the effects of the change. It claims that RSA 2048 >= > should > stay accepted by DEFAULT, and from what I can tell the host server key > seems to > be RSA 2048 (at least that's what is generated by default on Debian 9): > > $ ssh-keygen -l -f ssh_host_rsa_key.pub > 2048 SHA256:<...> root@debian-9-host (RSA) > > Can anyone translate to me if this is really expected or a bug? Effect is > that > Fedora 33 clients can not ssh to Debian 9 hosts by default (I'm not sure > about > the supported Debian 10, and the key quality there). > > My guess looking at the changes is that it is not key length which is caulsing problems but with the SHA used in the key to verify it. from the Cygwin manpage I am looking at: The available RSA signature variants are “ssh-rsa” (SHA1 signatures, not recommended), “rsa-sha2-256”, and “rsa-sha2-512” (the default). I am guessing this key was generated with the older ssh-rsa and so the new boxes won't work unless you force it. I would regenerate the key with a newer sig :). > Pavel > > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Stephen J Smoogen.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
