Thank you for visiting!
My little window on internet allowing me to share several of my passions
Categories:
- OpenBSD
- Nas
- FreeBSD
- DragonflyBSD
- fapws
- Alpine Linux
- OpenBSD
- Openbox
- Desktop
- Security
- nvim
- yabitrot
- nmctl
- Tint2
- Firewall
- vdcron
- VPN
- Project Management
- Hifi
- Alarm
Most Popular Articles:
Last Articles:
The "ssh-rsa" signature type is now disabled by default
Posted on 2021-10-17 20:19:00 from Vincent in OpenBSD
Latest changes in ssh rejects ssh-rsa.
Introduction
As stated many years ago RSA/SHA1 is weak and should not be used.
In OpenBSD 7.0, released on October 14th 2021, the last version of OpenSSH has removed this weak encryption algorithms from default config.
This removal has been communicated in the mailing list on August, 30 2021
In several articles, we can read that SHA-1 is not generally broken for every kind of use case. But, it is considered that it provides insufficient protection against collision attacks which makes it unsuitable as a signature algorithm for example in certificates
Moreover the US government's National Institute of Standards and Technology (NIST) said it should not be trusted beyond January 2014 (here)
Issue
I have a stupid/simple Android devise taking pictures every 30 minutes. To catch those pictures, I using the Apllication called Primitive ftpd.
Since the last release of OpenBSD I receive this error:
99%obsd:~/temp $ sftp -P 6922 vi@192.168.3.59
Unable to negotiate with 192.168.3.59 port 6922: no matching host key type found. Their offer: ssh-rsa
Connection closed
Solution
To solve this for a specific machine, you can adapt your ~/.ssh/config file like this:
Host 192.168.3.59
Hostname 192.168.3.59
HostKeyAlgorithms=+ssh-rsa
By doing so, you add the rsa algorithm just for this machine.
Then, your ssh, sftp or scp command will work like previously.