Old crypto. algorithms required (ssh-rsa with sha1)

Question

Old crypto. algorithms required (ssh-rsa with sha1)

vholer opened this issue 2 years ago · 2 comments

Looks to me the sshpiper relies on old SSH public key crypto. algorithms, which are/might be already disabled in current distributions:

E.g.,

$ ssh app1@localhost -p 2222 -vvv
...
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:XXX
debug1: send_pubkey_test: no mutual signature algorithm
...
debug1: No more authentication methods to try.
app1@localhost: Permission denied (publickey).

When I enable old ssh-rsa keys types, it works:

$ ssh app1@localhost -p 2222 -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -vvv
...
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:XXX
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:XXX
...
app1-65fbd646-ln74g:~$

Since OpenSSH 8.2 (02/2020) the ssh-rsa is disabled. https://www.openssh.com/txt/release-8.2

Answer 1 · 2022-07-01T12:20:16.000Z

same as in #80 ?

Answer 2 · 2022-07-18T23:06:09.000Z

this is a client side behavior
ssh blocked ssh-rsa and did not even send anything to server

however, sshpiper is not blocking rsa at the moment